Audit Logs
Audit logs record every change made to the Zerq platform configuration — who created, modified, or deleted a collection, proxy, client, policy, or credential, and when. Unlike request logs (which record API traffic), audit logs record administrative actions.
Audit log guides
Who can see audit logs?
Audit logs are visible only to users with the Auditor role. This allows compliance teams to review platform changes without having admin privileges to modify the platform.
To access audit logs:
- Sign in to the management UI with an account that has the Auditor role
- Click Audit Logs in the sidebar
What's recorded
Every audit log entry includes:
| Field | Description |
|---|---|
| Timestamp | When the action occurred |
| Actor ID | Who performed the action (user ID from OIDC token) |
| Actor type | user, service, or system |
| Action | CREATE, UPDATE, DELETE, or READ |
| Resource type | What was affected (collection, proxy, client, policy, credential, etc.) |
| Resource ID | The ID of the specific resource |
| HTTP Method | The HTTP method of the management API call |
| URL | The management API URL called |
| IP address | Source IP of the request |
| User agent | Browser or tool that made the request |
| Request ID | For correlating with other systems |
| Request body | The data that was submitted (create/update payloads) |
| Response status | HTTP status of the management API response |
| Response body | The response returned |
Searching and filtering
Use the search bar and filters to find specific events:
| Filter | Example |
|---|---|
| Search | Full-text search across all fields |
| Actor ID | Find all actions by a specific user |
| Actor type | Filter to user or service actions |
| Action type | Show only CREATE, UPDATE, or DELETE events |
| Resource type | Show only changes to collection, proxy, client, etc. |
| IP address | Find actions from a specific IP |
| Request ID | Trace a specific management request |
| URL pattern | Filter by management API endpoint |
| HTTP status | Find failed management operations |
| Date range | Filter to a specific time period |
Audit log detail view
Click any audit log entry to see the full detail:
- Complete request body (what was submitted)
- Complete response body (what was returned)
- Full URL with query parameters
- User agent string (browser version, API client, etc.)
Use cases
Compliance review
"Who changed the rate limit policy between Jan 1 and Jan 31?"
- Filter by Resource type =
policy - Filter by Action =
UPDATE - Set date range to January
- Export or screenshot for the compliance report
Security investigation
"Did anyone create unauthorized credentials recently?"
- Filter by Resource type =
credential - Filter by Action =
CREATE - Review actor IDs and IP addresses
Change rollback
"What was the collection configuration before it was changed?"
- Find the UPDATE event for the collection
- Open the detail view
- The Request body shows what it was changed to
- The previous state can be inferred from the event before this one
Access separation
In regulated environments, the Auditor role allows compliance teams to view all changes without the ability to modify the platform. This enforces separation of duties — the people who review changes cannot make changes.
Audit log retention
Set the audit log retention period to meet your regulatory requirements. Many financial and healthcare regulations require 5-7 years of audit log retention.
Integration with SIEM
Export audit logs to a Security Information and Event Management (SIEM) system by querying the audit log API endpoint programmatically. Structured JSON format makes it compatible with Splunk, Elastic SIEM, Microsoft Sentinel, and others.
Related docs
- Request Logs — per-request traffic logs with body and latency
- Dashboard — real-time metrics and trend charts
- Audit and Compliance — using logs for compliance workflows