Audit logs & activity¶
Cloud Digit records every action — every API call, every console click that mutates state, every authentication event — in an audit log scoped to your organization. This page explains where to find it, what's in it, how long it sticks around, and how to ship it somewhere external.
Overview¶
Audit log viewer — filterable by actor, action, resource, time range.
Open from Org Settings → Audit log (org-level — covers all projects in the org), or Project Settings → Activity (project-scoped slice — same data, project filter applied).
Each entry surfaces:
| Field | What it shows |
|---|---|
| Timestamp | UTC + Asia/Dhaka, second-precision |
| Actor | User email, or service-account name, or system |
| Auth method | password, saml, oidc, token, system |
| Source IP | The originating client IP (post-NAT, pre-CDN) |
| API method + path | POST /v1/compute/servers, PUT /v1/storage/buckets/foo, etc. |
| Resource | The resource affected (with type + ID + name where applicable) |
| Result | success (with response code), failure (with error code + message) |
| Project | Which project the action targeted |
| Trace ID | Correlation ID for joining with other observability data |
Click a row to see the full structured event (request body, response body, before/after diffs for mutations).
Administration¶
What gets logged¶
| Category | Examples |
|---|---|
| Authentication | Sign-in (success / failure), MFA challenge, password reset, SSO assertion validation |
| Authorization | Role changes, project membership changes, token issuance / revocation |
| Resource mutations | Create / update / delete on every service (servers, volumes, buckets, etc.) |
| Resource reads (opt-in) | List / get on resources (off by default — high volume) |
| Billing events | Top-ups, payment-method changes, invoice generation |
| Compliance events | Sovereignty attestation generation, audit-pack downloads |
| Configuration | Org settings changes, project settings changes, quota changes |
Retention¶
| Tier | Default | Configurable to |
|---|---|---|
| Hot (full text, instant search) | 30 days | up to 90 days |
| Warm (full text, 100s of ms search) | 90 days | up to 365 days |
| Cold (compressed, second search) | 18 months | up to 84 months (7 years, NBR-aligned) |
Configurable per-org from Org Settings → Audit log → Retention. Longer retention is paid (per GiB-month at the appropriate storage class).
Tamper resistance¶
The audit log is:
- Append-only at the storage layer — no edits or deletions even by Cloud Digit ops
- Hash-chained — each entry is hashed and references the previous entry's hash; tampering is detectable
- Cross-region replicated — duplicated to a second region within the org's residency zone
- Pushable to Object Lock — for COMPLIANCE-mode WORM at the regulator's preference
Right-to-audit access¶
For external auditors, Org Owners can issue a time-boxed audit-only token that grants read-only access to the audit log for a specific window (typically the audit period). Issued from Org Settings → Audit log → External auditor access.
Operation¶
Filtering¶
Filter combinations across actor / action / resource / time / IP / result. Common filters:
| Filter | Use case |
|---|---|
actor = alice@example.com AND time = last 24h | Did Alice cause this issue? |
result = failure AND auth_method = password AND last 24h | Brute-force attempts? |
action LIKE compute.servers.delete AND time = last 7d | Who deleted servers this week? |
resource_id = vm_01HZ... AND time = all | Full lifecycle of one resource |
source_ip NOT IN <our-VPN-CIDRs> AND last 24h | Off-network access |
Filters are stackable; URL captures the filter state for sharing.
Saved queries¶
Bookmark a useful filter combination as a saved query. Saved queries can be shared org-wide (e.g. "weekend admin actions" — used by the security team).
Exports¶
Three export modes:
- CSV — for spreadsheet analysis
- JSON — for scripted analysis
- Streaming push — to Object Storage bucket / SIEM / external SIEM (Splunk, Elastic, Sumo, Datadog)
Streaming push is the right pattern for production — set it up once and the audit log lands in your security pipeline in near-real-time.
Pushing to your own SIEM¶
Org Settings → Audit log → Stream destinations → + Add:
- Type — Cloud Digit Object Storage / Generic webhook / Splunk HEC / Elastic / Sumo / Datadog
- Endpoint URL + auth credentials (we issue a service-account token if pushing back to a Cloud Digit bucket)
- Filter — push everything, or only specific event types
- Format — JSON Lines (default) / CEF / LEEF / customisable Jinja2 template
The push retries with exponential backoff on transient failures; persistent failures alert the org Admins.
Pushing to Cloud Digit SIEM¶
If you've subscribed to Managed SIEM, the audit-log push is one-click — Org Settings → Audit log → Stream destinations → + Add → Cloud Digit SIEM. The SIEM ingests, indexes, and runs Sigma detections out of the box.
Common analyses¶
Compliance evidence¶
For an annual audit, generate an audit pack from Org Settings → Compliance → Generate evidence pack. The pack bundles:
- Audit log slice for the requested period
- Org settings snapshot
- IAM membership snapshot
- Per-control mapping (BB ICT 4.0 / ISO 27001 / PCI DSS — your choice)
- Signed manifest with cryptographic hash
The pack is downloadable as a single ZIP, or pushed to your auditor's bucket.
Incident investigation¶
When something happens:
- Filter by trace ID (from your application logs) — surfaces every Cloud Digit API call in the same trace
- Filter by source IP — find related activity from the same network
- Filter by actor — full timeline of what one person/agent did
- Cross-reference with SIEM for application-side events
The trace ID is the same across audit log, Status incidents, and your support tickets.
Off-boarding verification¶
After removing a user:
- Filter
actor = alice@example.com AND time > <removal-time>— should be empty - Filter
auth_method = token AND user = alice@example.com AND time > <removal-time>— confirms her tokens are dead - Filter
action LIKE iam.token.* AND resource = alice@*— see her tokens being revoked
Troubleshooting¶
| Symptom | Likely cause | Fix |
|---|---|---|
| Recent action not in the log yet | Indexing lag for hot tier | Wait 30 s; if still missing, open a ticket |
| Search returning empty for a known event | Time-range filter excludes the entry | Widen the time range; switch hot/warm/cold tier |
| Stream push failing with 5xx | Destination temporarily unavailable | Cloud Digit retries with backoff; check destination logs |
| Stream push failing with 4xx | Auth credentials wrong or rotated | Update credentials at the destination config |
| CSV export truncated | Row limit hit (100k rows for CSV) | Use JSON or streaming push for high-volume exports |
| Audit pack generation slow | Long retention windows take time to assemble | Wait — typical 7-year pack is ≤ 5 minutes |
Related¶
- Compliance & sovereignty
- SIEM — managed log analytics
- Cost Explorer
- Notifications — wire audit-log anomalies to alerts
- Object Lock — for WORM-retention of audit packs