Audit Log
The audit log is a tamper-evident record of who changed what and when — every mutation and sensitive read, with field-level before/after detail. Use it for compliance, investigations, and client transparency.
Key capabilities
- Automatic logging of every change (create, update, delete) plus sensitive reads (financials, PII, admin)
- Rich actor attribution: user, email, advisory firm, session, and auth method
- Field-level before/after change tracking on updates
- Pre-computed display values (e.g. "created Invoice #INV-001 for Acme Corp") so the feed renders without extra lookups
- Action, entity-type, user, and outcome filters plus full-text search and a date range
- Entity history ("who touched this invoice?") and per-user activity views
- Daily summaries aggregating activity by user, action, and success/failure
- AI anomaly analysis for unusual patterns and segregation-of-duties concerns
- Tamper-evident sequence linking for integrity checks
- Data-classification tagging (financial, PII, confidential, restricted) driving compliance filtering and retention
- Anomaly alerts for unusual locations, mass deletions, failed-auth spikes, VPN/Tor, and permission changes
- GDPR support: subject-access export of a user's audit trail in JSON and CSV
How it works
DayZero captures every qualifying action, enriches it with entity display details, and records each entry in a tamper-evident sequence before storing it for the activity feed.
flowchart TD
req["Mutating / sensitive action"] --> capture["Audit capture"]
capture --> enrich["Enrich: actor, entity, before/after changes"]
enrich --> chain["Tamper-evident sequence"]
chain --> store["Audit store"]
store --> feed["Activity feed / entity history / AI analysis"]How to use it
- Open Settings → Audit Log to see recent activity (defaulting to the last 30 days).
- Narrow with the Action, Entity type, User, and Outcome filters, the date range, or full-text search.
- Expand any entry to see the full before/after detail of exactly what changed.
- From a record's detail view, use its history to see everyone who touched that specific entity.
- Run the AI analysis to surface unusual patterns and segregation-of-duties concerns across the log.
- For compliance or a data-subject request, export a user's audit trail (JSON or CSV).
Pro tips
- Investigate discrepancies fast by combining a tight date range with an entity type and outcome = failure to isolate what went wrong.
- After teammates make bulk changes, scan the log to confirm everything applied — and that nothing failed silently.
- Use entity history before reversing an entry so you understand who created and edited it and why.
- The log is tamper-evident — treat a chain-verification failure as a security signal, not a glitch.
- Watch the anomaly alerts (mass deletion, failed-auth spikes, VPN/Tor) as an early-warning system for account compromise.
In-depth guide
What gets logged
- Every change is logged automatically.
- Sensitive reads (financial data, PII, admin pages) are logged too.
- Entity display details are captured so the feed reads naturally without follow-up queries.
Action classification
The action verb reflects what actually happened, not just the HTTP method:
- Writes map from the method (
POST → create,PUT/PATCH → update,DELETE → delete,GET → view). - Read-style POSTs (search, preview, calculate, validate, suggest) are reclassified to their true read verb so a query is never recorded as a "create".
- Report generation is logged as a dedicated generated action, enriched with the report's human title (e.g. "generated Income Statement (P&L)").
- A service can always override the inferred action via
enrich_audit(action=...).
What is intentionally not logged
To keep the trail signal-rich, some high-frequency, low-value requests are skipped:
- Status / health / progress polling reads (e.g. connection status, task progress) that fire repeatedly in the background.
- Ephemeral query POSTs that compute transient results and persist nothing (e.g. inline transaction match scoring on page load).
Outcomes
| Outcome | Meaning |
|---|---|
| Success | Action completed |
| Failure / Error | Action failed |
| Partial | Mixed results (batch) |
| Denied | Permission denied |
| Skipped | No-op / nothing to do |
| Suspicious | Flagged as potentially suspicious |
Data classification & retention
Each entity type is auto-classified by sensitivity, which drives compliance filtering and retention policy:
| Classification | Examples |
|---|---|
| Financial | Transactions, invoices, bills, payments, reconciliations, fixed assets |
| PII | Customers, vendors, users |
| Confidential | Business settings, advisory firms, bank/Stripe connections |
| Restricted | Connection keys |
| Internal | Products, tags, tasks |
Tamper detection
Each entry is linked to the one before it in sequence. Verification confirms the chain is unbroken — any silent edit or deletion is detectable.
Anomaly alerts
DayZero runs detection over the log and dispatches alerts for:
- Unusual access locations
- Bulk operations / mass deletion
- Failed-authentication spikes
- VPN/Tor usage
- Permission escalation
- Sensitive-data access
Alerts carry a severity from informational up to critical.
GDPR / compliance
A subject-access export collects all audit entries for a given user in both JSON and CSV, supporting data-subject access requests and audit trails for privacy compliance.