# Audit log

Every action in the vault is recorded. The audit log is append-only and covers administrative events, signing events, and key lifecycle operations.

## Open the audit log

In the sidebar, click **Audit Logs** (under the SYSTEM section). The page loads with all recent events across the system.

## Event streams

The audit log is split into three tabs:

| Tab | Contents |
|---|---|
| **Admin** | User and group lifecycle, policy changes, venue configuration, backup exports |
| **Signing** | Signing request outcomes including decoded intent, freeze blocks, and policy denials |
| **All** | Combined view of both streams |

Each tab shows a badge with the count of events matching your current filters.

![Audit Log with Admin, Signing, and All tabs and a list of event cards](/img/guide/audit-log/admin-events.png)
*The Audit Log. The Admin, Signing, and All tabs each show a running count; every entry expands to its full request detail.*

## Filter events

Use the filter bar above the event list to narrow results:

* **Date range:** pick a start and end date and time.
* **User:** filter to events from a specific user or Machine User.
* **Key:** filter to events involving a specific key.
* **Action type:** select one or more event types from the list.
* **Result:** filter by outcome (success or failure).

Active filters appear as chips below the filter bar. Click a chip's remove icon to clear that filter, or click **Hide all filters** to clear everything.

The list updates automatically as you add or remove filters. Events load as you scroll (infinite scroll).

## Event cards

Each event displays as a card with:

* **Actor:** the user or Machine User who triggered the action, with their type (Human / Machine).
* **Action:** a plain-language label such as "Key Frozen" or "Signing Policy Updated."
* **Timestamp:** date and time of the event.
* **Result badge:** success (green) or failure (red).
* **Key name:** where the event involved a key.
* **Failure reason:** for failed events, a short description of why.

## Drill into a user's activity

From the **Users & Groups** page, click the row actions menu for any user and select **View Audit Log**. This navigates to the audit log pre-filtered to that user's events. The same filter controls are available.

## Export to CSV

1. Set any filters you want applied to the export.
2. Click **Export CSV** (top right, permission-gated by `view_export_audit_log`).
3. The browser downloads a timestamped CSV file containing all events matching your current filters.

## Event types covered

The audit log records:

* **Authentication and bootstrap:** login events, passkey enrollment, failed authentication.
* **User and group lifecycle:** create, update, delete; member add and remove.
* **Machine User lifecycle:** create, update, delete.
* **Key operations:** import, generate, version added, freeze, unfreeze, delete, metadata update.
* **Signing requests:** completed, failed, blocked by freeze, blocked by policy (with decoded intent where available).
* **Policy changes:** Admin Policy updates, Signing Policy updates.
* **Venue operations:** create, update, delete.
* **Backup:** `keys_backup_created` events.

## Retention and SIEM integration

Retention period and SIEM forwarding are configured at deployment time via Helm values. See the [Deployment guide](/deploy/operations/audit-siem) for the relevant settings.
