Skip to main content
The Audit Log provides a comprehensive, immutable record of every action taken within your Altostrat SDX workspace. It is your single source of truth for answering the critical questions of “who, what, when, and where” for all platform activity. Every event, from a user logging in and creating a policy to a system-automated scan completion, is captured from our microservices and recorded in a centralized, searchable log. This makes the Audit Log an essential tool for security investigations, compliance reporting, and operational troubleshooting.

Anatomy of an Audit Log Event

Each event in the log is a detailed JSON object containing rich contextual information. Here are some of the key fields:

Actor (Who)

The user_id, name, and email fields identify the user who performed the action. For system-initiated events, these fields may be null.

Action (What)

The method and endpoint fields show the specific API operation that was performed (e.g., DELETE /api/v1/sites/{siteId}).

Timestamp (When)

The event_time field provides a precise, UTC timestamp for when the event occurred.

Context (Where)

The ip_address and user_agent fields show the origin of the request, providing valuable context for security analysis.

Using the Audit Log

The power of the Audit Log lies in its advanced filtering capabilities. You can quickly narrow down thousands of events to find exactly what you’re looking for.

Accessing and Filtering Logs

  1. In the SDX dashboard, navigate to Account → Audit Logs.
  2. You will see a reverse chronological list of the most recent events.
  3. Use the filter controls at the top of the page to search for specific events. You can combine multiple filters to refine your search.

Common Investigation Scenarios

  1. Filter by Endpoint and enter the path, e.g., /api/v1/sites.
  2. Filter by HTTP Verb and select DELETE.
  3. Set the Date Range to narrow down the timeframe. The resulting log entry will show the user who performed the action.
  1. Filter by User and select the user’s name or enter their ID.
  2. Set the Date Range to cover the last 24 hours.
  3. Exclude read-only actions by filtering HTTP Verb and entering !GET. This will show all state-changing actions performed by that user.
  1. Filter by Endpoint and enter your login endpoint (e.g., /login/callback).
  2. Scan the ip_address column for any addresses that are not from your known corporate or remote locations.
  3. You can also filter by a specific IP Address to see all actions originating from it.
All audit log data is retained for 90 days and can be exported programmatically via the API for long-term archival in your own security information and event management (SIEM) system.

Best Practices

Regular Reviews

Incorporate a periodic review of your audit logs into your security routine. Look for unusual activity, failed login attempts, or unexpected changes to critical policies.

Integrate with Your SIEM

For advanced security operations, use our API to stream audit logs into your SIEM (e.g., Splunk, Datadog). This allows for automated alerting and correlation with other security data.

Use for Troubleshooting

If a site is misbehaving, the audit log is an excellent first place to look. You can filter by the site_id to see if any recent configuration changes coincide with the start of the issue.