Audit Logs
Realm9 maintains comprehensive audit logs of all user actions and system events, providing a tamper-evident record for security investigations, compliance audits, and troubleshooting.
License requirement: Audit Logs are available on the Ultimate tier.
Accessing Audit Logs
Navigate to Audit Logs in the sidebar to reach the audit overview dashboard. From there, use the category tabs to drill into specific event types.
Overview Dashboard
The audit overview page shows organisation-wide activity at a glance:
Statistics cards (configurable time period: 7, 30, or 90 days):
- Total Events
- Authentication Events
- SSO Events
- Security Alerts
- User Management Events
- Environment Changes
- Booking Activity
- Terraform Operations
- FinOps Activity
Additional sections:
- Recent Failures — failed operations and security events highlighted
- Most Active Users — top users by event count
- Most Common Actions — highest-frequency event types
- Recent Activity — live feed of the latest log entries
Use the Refresh button to reload stats, or Export to download the current view.
Event Categories
Audit events are grouped into categories. Each category has its own filtered view:
| Category | What it covers |
|---|---|
| Authentication | Logins, logouts, MFA setup/verification, password changes, account lockouts |
| SSO | SAML configuration, SSO logins, user provisioning via SSO, provider migrations, circuit breaker events |
| Users | User creation, invitations, role changes, suspension, deprovisioning, organisation management |
| Sessions | Session creation and termination, concurrent session limit breaches, IP change detection, device fingerprint mismatches |
| Security | Suspicious activity, rate limit breaches, IP blocking, SAML replay attack detection, unauthorised access attempts |
| SCIM | SCIM token management, user and group provisioning, bulk operations, deprovisioning, break-glass access |
| Environments | Environment creation, updates, deletion, exports, environment request lifecycle |
| Bookings | Booking creation, approval, rejection, extension, completion, cancellation, comments |
| Terraform | Projects, workspaces, templates, runs, drift alerts, state lock overrides, cloud connections, policy checks |
| Workflows | Workflow creation and changes, approval step decisions, admin overrides, timeouts |
| System | Settings changes, custom field groups, domain management, team management, integrations, notifications, data exports |
| FinOps | Cost sync events, anomaly detection, cloud connection toggles |
| Git | Commits, branch switches and creation, webhook events, Git authentication failures |
| ServiceNow | CMDB imports, connection tests, field group creation, CI data access |
Over 290 distinct event types are tracked across these 14 categories.
Filtering and Search
Each category view includes the following filters:
- Search — free-text search across action name, entity type, and IP address
- Action — filter to a specific event type within the category
- Entity Type — filter by the type of resource affected (User, Environment, Booking, etc.)
- Start Date / End Date — date range picker; validates that start is before end
- User — filter by who performed the action (admin views only)
All filters can be combined. Click Clear All to reset.
Log Entry Details
Each log entry captures:
| Field | Description |
|---|---|
| Timestamp | Exact date and time the event occurred |
| Action | The event type (e.g. USER_LOGIN_SUCCESS) |
| User | Name and email of the user who performed the action |
| Entity Type | Type of resource affected (User, Environment, Booking, etc.) |
| Entity ID | ID of the specific resource |
| IP Address | Source IP of the request (IPv4 and IPv6 supported) |
| User Agent | Browser or client information |
| Changes | Before and after values for any modified fields |
Click any row to open the Details panel, which shows:
- Full field-level change tracking with old value (strikethrough) → new value
- Sensitive fields shown as
[REDACTED] - Additional context such as filter parameters used or operation metadata
Pagination
Results are paginated at 50 records per page by default. The maximum allowed page size is 100. Navigation controls show the current page, total record count, and first/previous/next/last page buttons.
Export
Export the current filtered view using the Export button:
- CSV — suitable for spreadsheets and SIEM ingestion; dangerous prefix characters are escaped automatically
- JSON — pretty-printed for programmatic processing
Exports are capped at 10,000 records. If your filter returns more, the export is truncated and response headers indicate the total and exported counts. Every export action is itself recorded in the audit log.
Only Admin and Super Admin roles can export audit logs.
Active Sessions
Accessible from the Audit section (Admin only), the Active Sessions view shows:
- User name, email, and role
- Last login timestamp and login method (Password or SSO provider)
- Source IP address and user agent
- Whether the session is currently active (last activity within 30 minutes)
- MFA enabled status
- Number of sessions in the last 24 hours
Retention Settings
Path: /settings/audit
Admins can configure how long audit logs are retained before automatic deletion:
- Range: 30–365 days
- Default: 90 days
- Quick presets: 30, 90, 180, 365 days
Logs older than the configured retention period are permanently deleted by a scheduled background job. Each cleanup run is itself recorded as an AUDIT_LOG_CLEANUP event, capturing the cutoff date and number of records deleted — providing a compliance record of data lifecycle management.
Role-Based Access
| Capability | Viewer | User | Provisioner | Admin | Super Admin |
|---|---|---|---|---|---|
| View own activity logs | — | ✓ | ✓ | ✓ | ✓ |
| View all organisation logs | — | — | — | ✓ | ✓ |
| Export audit logs | — | — | — | ✓ | ✓ |
| View active sessions | — | — | — | ✓ | ✓ |
| Configure retention settings | — | — | — | ✓ | ✓ |
Regular users can view logs where they are the actor or the affected entity. They cannot see other users' activity.
Common Use Cases
Security investigation: Filter by a specific IP address or user, set a narrow date range, and review the sequence of events to reconstruct what happened.
Access review: Filter by user and review which resources they accessed or modified over a period.
Compliance audit: Export filtered logs as CSV or JSON for submission to auditors. The retention settings page provides documentation of your data lifecycle policy.
Troubleshooting: Filter by entity ID (e.g. a specific environment or booking) to see the full history of changes to that resource.