Vectis
All guides

Audit log

Every action that mutates state — auth events, admin changes, rules-engine dispatches, write-backs to your PSA / RMM / billing system — is captured in an append-only audit log. Useful for incident review, compliance evidence, and answering 'who did that?' questions during a customer escalation.

What gets logged

  • Auth events — every login (success + failure), password change, MFA enrollment, session invalidation, SSO callback.
  • Admin changes — integration credential saves, user role changes, branding updates, customer matching changes, rule edits.
  • Rules-engine dispatches — every rule fire, with the trigger record + the action payload + the outcome.
  • Write-backs to source systems — every create_ticket, update_ticket_status, acknowledge_alert, time-entry, etc., with the full request body sent to the vendor + the response status.
  • Customer feedback / support submissions — captured here in addition to the dedicated feedback inbox, so a deletion of the feedback row doesn’t lose the event.

Append-only by design

Application code can write to the audit log; nothing in the application can edit or delete a row. The append-only guarantee is what makes the log useful as an evidence surface — a malicious admin can’t cover their tracks by deleting the entry that would incriminate them.

Database-level deletion (a SQL admin running a DELETE) is obviously possible, but logged separately by the database’s own audit machinery + nightly backups carry the prior state.

Querying the log

Visit Admin → Audit log. Filter by:

  • Action — e.g. integration_credentials_updated, rule_fired, ticket_created.
  • User — who took the action.
  • Target — the record that changed (ticket id, integration name, rule id, etc.).
  • Date range — defaults to the last 7 days.

Each row expands to show the full details JSON, including the request payload + response when the action was a write-back.

Compliance evidence packs

For SOC2 / Cyber Essentials / customer-side procurement reviews, the Security surface composes evidence packs that pull from the audit log:

  • Access reviews — every login + role change for the period.
  • Change management — every admin / integration / rule edit for the period.
  • Incident response — auth failures + rate- limit events, useful for after-action reports.

Evidence packs are exported as zipped JSON + CSV for attachment to compliance documentation.

Retention

Audit-log rows retain for 13 months by default — long enough to cover a full compliance year + a one-month buffer. The retention is configurable per workspace under Admin → Security (60-day floor enforced).

If your customer’s security team asks for an audit trail of every action you took on their tenant during the last quarter, filter by Target = the customer’s id and Date range = the quarter. Export the result as the evidence document.

Still stuck?

Email support@mspvectis.com with the error message and we’ll unblock you.

Audit log | Vectis