> For the complete documentation index, see [llms.txt](https://docs.aohwv.dev/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.aohwv.dev/administration/audit-logs.md).
# Audit Logs
Audit logs record all administrative actions in CloudSync, providing a complete trail for compliance, troubleshooting, and security purposes.
***
## Overview
Audit logs capture:
* Who did what
* When they did it
* What changed
* Whether it succeeded
This information is essential for security reviews, compliance audits, and investigating issues.
***
## Who This Is For
* **Administrators** reviewing system changes
* **Compliance teams** gathering audit evidence
* **Security teams** investigating incidents
* **Operators** understanding configuration history
***
## Prerequisites
* ✅ **Administrator role** — Required to access audit logs
* ✅ Operators and Viewers cannot access audit logs
***
## Accessing Audit Logs
{% stepper %}
{% step %}
#### Access audit log viewer
* Log in to CloudSync with Administrator role
* Go to **Settings** → **Audit Log**
* The audit log viewer opens
{% endstep %}
{% endstepper %}
***
## Understanding Audit Log Entries
Each log entry contains:
```
┌─────────────────────────────────────────────────────────────┐
│ 2026-01-08 10:15:32 │
├─────────────────────────────────────────────────────────────┤
│ │
│ Action: SCHEDULE_CREATED │
│ Actor: jane.admin@company.com │
│ IP Address: 10.0.1.100 │
│ Resource: Schedule "Daily Sync" │
│ Status: ✓ Success │
│ │
│ Details: │
│ Type: Incremental │
│ Cron: 0 6 * * * │
│ Source: Workday HR │
│ │
└─────────────────────────────────────────────────────────────┘
```
### Entry Fields
| Field | Description |
| -------------- | ------------------------------------------- |
| **Timestamp** | When the action occurred (in your timezone) |
| **Action** | What was done (see Action Types below) |
| **Actor** | Who performed the action (email) |
| **IP Address** | Where the action originated |
| **Resource** | What was affected |
| **Status** | Success or failure |
| **Details** | Additional context |
***
## Action Types
### Configuration Changes
| Action | Description |
| -------------------- | -------------------------------- |
| `CONNECTION_CREATED` | New HR or Graph connection added |
| `CONNECTION_UPDATED` | Connection settings modified |
| `CONNECTION_DELETED` | Connection removed |
| `MAPPING_CREATED` | New field mapping added |
| `MAPPING_UPDATED` | Field mapping modified |
| `MAPPING_DELETED` | Field mapping removed |
| `SCHEDULE_CREATED` | New sync schedule created |
| `SCHEDULE_UPDATED` | Schedule settings modified |
| `SCHEDULE_DELETED` | Schedule removed |
| `SCHEDULE_PAUSED` | Schedule paused |
| `SCHEDULE_RESUMED` | Schedule resumed |
| `SETTINGS_UPDATED` | System settings changed |
### User Management
| Action | Description |
| --------------------- | ------------------------------ |
| `USER_ACCESS_GRANTED` | CloudSync access given to user |
| `USER_ACCESS_REVOKED` | CloudSync access removed |
| `USER_ROLE_CHANGED` | User's role modified |
| `USER_EXCLUDED` | Synced user excluded from sync |
| `USER_INCLUDED` | Excluded user re-included |
### Sync Operations
| Action | Description |
| ----------------------- | ---------------------- |
| `SYNC_MANUAL_TRIGGERED` | Manual sync started |
| `SYNC_CANCELLED` | Running sync cancelled |
| `SCOPE_UPDATED` | Sync scope changed |
### Security Events
| Action | Description |
| ----------------- | ----------------------------- |
| `LOGIN_SUCCESS` | User logged in |
| `LOGIN_FAILURE` | Failed login attempt |
| `SESSION_EXPIRED` | Session timed out |
| `IP_BLOCKED` | Access denied from blocked IP |
***
## Filtering Audit Logs
{% stepper %}
{% step %}
#### By Date Range
* Click the **Date Range** picker
* Select start and end dates
* Logs filter automatically
{% endstep %}
{% step %}
#### By Action Type
* Click the **Action** dropdown
* Select action types to include
* Multiple selections allowed
{% endstep %}
{% step %}
#### By Actor
* Click the **Actor** field
* Type email to search
* Select the user
{% endstep %}
{% step %}
#### By Status
* Click **Status** dropdown
* Choose:
* ✅ Success
* ❌ Failure
* All
{% endstep %}
{% endstepper %}
***
## Searching Audit Logs
Use the search bar for free-text search:
* Search by email: `jane.admin@company.com`
* Search by resource: `Daily Sync`
* Search by action: `CREATED`
Searches match across all fields.
***
## Exporting Audit Logs
For compliance and archival:
{% stepper %}
{% step %}
#### Apply filters
Set date range and any other filters for the data you need.
{% endstep %}
{% step %}
#### Click Export
* Click **Export** (top right)
* Choose format:
* **CSV** — For spreadsheet analysis
* **PDF** — For formal documentation
* **JSON** — For system integration
{% endstep %}
{% step %}
#### Download
File downloads with all filtered entries.
{% endstep %}
{% endstepper %}
### Compliance-Ready Export
For audit requests, include:
1. Full date range of audit period
2. All action types (don't filter)
3. PDF format with timestamps
4. Save with audit request reference
***
## What You Should See
### Normal Activity
* Regular login patterns
* Scheduled configuration changes
* Occasional manual sync triggers
### Investigate Further
* Multiple login failures
* Changes outside business hours
* Unexpected configuration changes
* Access from unknown IPs
### Security Concerns
* `LOGIN_FAILURE` followed by `LOGIN_SUCCESS` (potential brute force)
* `SETTINGS_UPDATED` by unknown actor
* Access from unusual IP ranges
***
## Common Tasks
{% stepper %}
{% step %}
#### Review Recent Changes
* Set date range to last 7 days
* Filter by configuration actions (`*_CREATED`, `*_UPDATED`, `*_DELETED`)
* Review who made what changes
{% endstep %}
{% step %}
#### Investigate a Sync Issue
* Set date range to when issue occurred
* Filter by `SYNC_*` actions
* Check for manual triggers or cancellations
* Look for `SCHEDULE_*` changes
{% endstep %}
{% step %}
#### Prepare for Audit
* Set date range for audit period
* Remove all filters (include everything)
* Export as PDF
* Include summary cover page
{% endstep %}
{% step %}
#### Track Access Changes
* Filter by `USER_ACCESS_*` and `USER_ROLE_*`
* Review all access grants and revokes
* Verify changes were authorized
{% endstep %}
{% endstepper %}
***
## Troubleshooting
"No logs found"
| Cause | Solution |
| ----------------------- | --------------------------- |
| Date range too narrow | Expand the range |
| Filters too restrictive | Remove filters |
| No activity in period | Expected if no changes made |
Can't find specific event
| Try | How |
| ------------------ | --------------------------------------------- |
| Search by email | Type the actor's email |
| Broaden date range | Activity may be outside expected time |
| Check action type | Event may be logged differently than expected |
Export fails
| Cause | Solution |
| ------------- | -------------------- |
| Too much data | Reduce date range |
| Timeout | Try smaller chunks |
| Format issue | Try different format |
***
## Audit Log Retention
Logs are retained based on your configuration:
| Setting | Default | Configurable |
| ---------- | ------- | ------------ |
| Standard | 90 days | Yes |
| Compliance | 1 year | Yes |
| Custom | Varies | Yes |
After retention period, logs are automatically deleted.
To change retention:
1. Go to **Settings** → **System**
2. Adjust **Audit Log Retention**
3. Click **Save**
***
## Next Steps
* [Settings](/administration/settings.md) — Configure audit retention
* [User Management](/administration/users.md) — Manage access
* [Roles and Permissions](broken://pages/Of80BY1YKe7rHee20jAe) — Understand access levels
***
## Related Topics
* [Compliance Report](/features/reports.md) — Generate compliance reports
* [Security](/administration/settings.md#security) — Security settings
* Getting Support — Help with audits
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.aohwv.dev/administration/audit-logs.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.