Skip to main content
Browse docs
By Audience
Getting Started
Configuration
Use Cases
IDE Integration
Third-Party Integrations
Engineering Cache
Console
API Reference
Gateway
Workflow Guides
Templates
Providers and SDKs
Industry Guides
Advanced Guides
Browse by Role
Deployment Guides
In-Depth Guides
Tutorials
CLI Gateway Tutorials
Console Tutorials
First Login SetupCreate ConfigurationTemplate LibraryDashboard CustomizationEvents InvestigationEscalation WorkflowTeam Access SetupGateway Key ManagementGit Integration SetupWebhook ConfigurationNotification ChannelsExport EvidenceKnowledge Base ConsoleSecurity SettingsAudit Log ReviewAgent RegistrationHistory SessionsGateway ActionsBilling PlansMy Usage DashboardWallets AllocationMulti Config ManagementConsole Keyboard Shortcuts
Chat Workbench Tutorials
CLI Reference
Policy Reference
FAQ

Tutorial: Reviewing the Audit Log

This tutorial walks you through navigating the audit log, filtering entries, exporting records for compliance, and using the log for real-time activity monitoring in the Keeptrusts management console.

Use this page when

  • You need to investigate who changed a configuration, revoked a key, or performed a sensitive action.
  • You are preparing evidence for a compliance audit (SOC 2, ISO 27001, EU AI Act).
  • You want to monitor real-time login activity or detect failed authentication attempts.
  • You need to export an immutable activity record for legal or regulatory purposes.

Primary audience

  • Primary: Compliance officers and security analysts conducting activity reviews or incident investigations
  • Secondary: Platform admins verifying configuration changes; auditors collecting evidence for external assessments

Prerequisites

  • A Keeptrusts account with Admin or Compliance role
  • Familiarity with your organization's compliance requirements (for export purposes)

What Is the Audit Log?

The audit log records every significant action performed in the Keeptrusts platform — console interactions, API calls, configuration changes, and authentication events. Each entry captures who did what, when, and from where.

The audit log is immutable. Entries cannot be modified or deleted, ensuring a tamper-proof record for compliance and forensic purposes.

Step 1: Navigate to the Audit Log

  1. Log in to the Keeptrusts console.
  2. Open Audit Log from the left navigation sidebar.

The page displays a chronological table of audit entries with the most recent events at the top.

Step 2: Understand Audit Entries

Each audit log entry contains:

FieldDescription
TimestampExact date and time of the action (UTC)
UserThe user or API key that performed the action
ActionThe type of action (e.g., user.login, config.updated, key.created)
ResourceThe affected resource type and identifier
IP AddressThe source IP of the request
StatusWhether the action succeeded or failed
DetailsAdditional context specific to the action type

Click on any entry row to expand the full detail view, which includes the complete request metadata and any changed values.

Step 3: Filter by User

To review actions by a specific user:

  1. Click the User filter dropdown.
  2. Search for or select the user's name or email.
  3. The table updates to show only entries for the selected user.

This is useful for investigating user-specific activity, onboarding verification, or access reviews.

Step 4: Filter by Action Type

To focus on specific action categories:

  1. Click the Action filter dropdown.
  2. Select one or more action types:
CategoryExample Actions
Authenticationuser.login, user.logout, user.login_failed, 2fa.enrolled
Configurationconfig.created, config.updated, config.deployed, config.deleted
Keyskey.created, key.rotated, key.revoked
Usersuser.invited, user.role_changed, user.deactivated
Exportsexport.created, export.downloaded
Escalationsescalation.created, escalation.resolved, escalation.assigned
Knowledge Basekb.uploaded, kb.promoted, kb.bound, kb.archived
  1. The table filters to matching entries only.

Step 5: Filter by Date Range

  1. Click the Date Range picker.
  2. Select a predefined range (Last 24 hours, Last 7 days, Last 30 days) or set custom start and end dates.
  3. Click Apply.

For compliance audits, set the date range to match the exact audit period.

Step 6: Combine Filters

Filters can be combined to create precise queries. For example:

GoalFilters
All failed logins this weekAction: user.login_failed + Date: Last 7 days
Config changes by a specific adminUser: admin@company.com + Action: config.*
Key operations in Q1Action: key.* + Date: Jan 1 – Mar 31
Escalation activity for a compliance auditAction: escalation.* + Date: audit period

The filter bar shows all active filters as removable chips. Click the X on any chip to remove a filter.

Step 7: Search Audit Entries

For free-text search across all audit fields:

  1. Type your query in the Search bar at the top of the audit log.
  2. The search matches against user names, action types, resource IDs, IP addresses, and detail text.
  3. Press Enter to execute the search.

Search is useful when you know a specific resource ID or IP address but are not sure which action categories to filter.

Step 8: Export Audit Entries

Export audit log data for compliance documentation or external analysis.

  1. Apply the desired filters to narrow the entries.
  2. Click the Export button in the top-right corner.
  3. Choose the export format:
FormatUse Case
CSVSpreadsheet review, data analysis
JSONSIEM import, programmatic processing
PDFHuman-readable compliance report
  1. Click Download.

The export includes only the entries matching your current filters. For complete audit exports, clear all filters before exporting.

Schedule regular audit log exports using the Exports page to maintain a continuous compliance evidence trail. See the Exporting Evidence tutorial for details.

Step 9: Real-Time Activity Monitoring

The audit log supports real-time monitoring for security operations:

  1. Toggle Live Mode at the top of the audit log page.
  2. New entries appear at the top of the table as they occur, without requiring a page refresh.
  3. Combine Live Mode with filters to monitor specific activity in real time (e.g., all user.login_failed events).

Live Mode is useful during:

  • Active incident investigation
  • Deployment verification (watching for config.deployed events)
  • Security monitoring shifts
Live Mode increases network traffic. Disable it when not actively monitoring to reduce bandwidth usage.

Step 10: Investigate Incidents

When investigating a security incident, use the audit log to reconstruct the timeline:

  1. Identify the approximate time window of the incident.
  2. Set the date range to cover that window with a buffer (e.g., 1 hour before to 1 hour after).
  3. Filter by the affected resource or suspected user.
  4. Review entries chronologically to understand the sequence of actions.
  5. Click on individual entries to examine full request details, including IP addresses and user agents.
  6. Export the filtered entries as evidence for your incident report.

Best Practices

  • Review weekly — Schedule a weekly review of authentication failures and configuration changes.
  • Export monthly — Generate monthly audit exports for compliance record-keeping.
  • Set up alerts — Configure notification rules for critical audit events like user.login_failed spikes.
  • Correlate with webhooks — Cross-reference audit entries with webhook delivery logs for full traceability.
  • Retain exports — Store exported audit data in a tamper-proof archive (e.g., WORM-enabled S3 bucket).

Next steps

For AI systems

  • Canonical terms: Keeptrusts console, Audit Log page, Live Mode, audit entry, action types (user.login, config.updated, key.created, escalation.resolved), date range filter, export (CSV/JSON/PDF).
  • Related features: notification channels, export evidence, security settings, webhook delivery logs.
  • Best next pages: Export Evidence, Security Settings, Notification Channels.

For engineers

  • Validation: After performing a configuration change, verify the action appears in the audit log within seconds with the correct user, action type, and resource ID.
  • Live Mode: Enable Live Mode during deployments to confirm config.deployed entries appear in real time.
  • Export test: Filter to a one-day range, export as JSON, and confirm the file contains the expected entry count and schema.
  • Troubleshooting: If entries are missing, check that the user’s session is active and the action was performed through the console or API (direct DB changes are not audited).

For leaders

  • Compliance: The audit log is immutable and tamper-proof — entries cannot be modified or deleted. This satisfies SOC 2 CC6.1 and ISO 27001 A.12.4 requirements.
  • Incident response: Use combined filters to reconstruct incident timelines with exact who/what/when attribution.
  • Retention: Schedule monthly exports to a WORM-enabled archive for long-term regulatory record-keeping beyond platform retention limits.