Audit Log
Every action logged.
Nothing altered.
Every event in Flowtriq (incident opened, PCAP downloaded, node added, API key rotated, maintenance window started) is recorded immutably with timestamp, actor, source IP, and full context. A complete compliance trail for SOC 2 audits and incident reviews.
Sample Log
Everything that happens, recorded
| Timestamp (UTC) | Event | Actor | Node / Resource | IP |
|---|---|---|---|---|
| 2026-03-09 09:44:19 | Incident Opened | system | nyc-edge-01 · a3f7c2b1 | |
| 2026-03-09 09:44:22 | PCAP Started | system | nyc-edge-01 · a3f7c2b1 | |
| 2026-03-09 09:48:03 | Incident Resolved | system | nyc-edge-01 · a3f7c2b1 | |
| 2026-03-09 09:52:14 | PCAP Downloaded | [email protected] | nyc-edge-01 · a3f7c2b1 | 203.0.113.42 |
| 2026-03-09 14:04:01 | Maintenance Start | deploy-bot | fra-core-01 | 10.0.1.5 |
| 2026-03-09 14:30:00 | Maintenance End | system (auto) | fra-core-01 | |
| 2026-03-09 16:30:00 | API Key Rotated | [email protected] | fra-core-01 | 198.51.100.7 |
| 2026-03-09 17:12:44 | Node Added | [email protected] | sgp-edge-04 | 203.0.113.42 |
What Gets Logged
Every category of action, captured
The audit log covers all action categories across the Flowtriq platform. Security-relevant events (key rotations, access, downloads) include the source IP. System-generated events (detections, resolutions) are tagged as actor "system" to distinguish them from human actions.
Incidents
Opened, acknowledged, resolved, manually closed. Includes detection timestamp, UUID, and peak metrics.
PCAP Access
Every capture started, upload completed, and download generated, with actor, IP, and file hash.
Node Management
Node added, renamed, removed, configuration changed, interface changed.
Keys & Auth
API key created, rotated, revoked. User login, logout, failed login attempts.
Maintenance Windows
Window created, started, ended (manually or automatically), cancelled.
Configuration
Alert channels added/removed, thresholds changed, IOC patterns added.
Export & Query
Queryable via API. Exportable as JSON or CSV.
The audit log supports filtering by actor, event type, node, and time range. Export full log archives for SIEM ingestion or compliance reporting directly from the Audit Log dashboard page. Enterprise customers can configure automatic nightly exports to an S3-compatible bucket.
┌──────────────────────┬────────────────┬───────────────┬──────────┐
│ Timestamp │ Event │ Actor │ IP │
├──────────────────────┼────────────────┼───────────────┼──────────┤
│ 2026-03-09 09:52:14 │ pcap.download │ alice@acme │ 203.0.… │
│ 2026-03-07 14:11:03 │ pcap.download │ bob@acme │ 198.51.… │
│ 2026-03-04 22:38:50 │ pcap.download │ alice@acme │ 203.0.… │
└──────────────────────┴────────────────┴───────────────┴──────────┘
3 events [Export CSV] [Export JSON]
FAQ
Common questions about the audit log
Can audit log entries be deleted or modified?
No. Audit log entries are write-once and immutable. There is no API endpoint, Console action, or internal tool that allows modification or deletion of log entries. Even Flowtriq engineers cannot alter your audit trail. This is the foundation of the compliance guarantee.
How long are audit log entries retained?
Audit log entries are retained for 90 days on the Per Node plan. Enterprise customers can configure retention up to 1 year. Automatic export to your own storage (S3-compatible) allows indefinite archival under your own retention policy.
Can I use the audit log for SOC 2 compliance?
Yes. The audit log is designed to satisfy SOC 2 Type II requirements for access control, change management, and security event logging. The log captures who accessed PCAP data, when, from which IP, directly relevant to SOC 2 CC6 controls. Flowtriq can provide a log export in the format required by your auditor.
Does the audit log capture failed access attempts?
Yes. Failed login attempts, requests with invalid API keys, and attempts to access resources in other workspaces are all logged with the source IP, timestamp, and attempted action. These entries are valuable for detecting credential stuffing and unauthorized access attempts.
Related Features