Compliance
Audit Logs
Audit Logs
Global Watch provides comprehensive audit logging to help organizations maintain accountability, meet compliance requirements, and investigate security incidents. This document explains our audit logging capabilities and how to use them effectively.
Overview
Audit logs capture a detailed record of all significant activities within your Global Watch account:
- Who: The user who performed the action
- What: The specific action taken
- When: Timestamp of the action
- Where: IP address and location (when available)
- Context: Additional relevant details
Logged Events
Authentication Events
All authentication-related activities are logged:
| Event | Description | Details Captured |
|---|---|---|
auth.login | Successful login | User, IP, device, method |
auth.login_failed | Failed login attempt | Email, IP, reason |
auth.logout | User logout | User, session duration |
auth.mfa_enabled | MFA activated | User, method |
auth.mfa_disabled | MFA deactivated | User, admin override |
auth.password_changed | Password updated | User, method |
auth.password_reset | Password reset requested | Email, IP |
Account Events
Account management activities:
| Event | Description | Details Captured |
|---|---|---|
account.created | New account created | Account type, owner |
account.updated | Account settings changed | Changed fields, old/new values |
account.deleted | Account deleted | Account ID, deletion method |
account.subscription_changed | Plan changed | Old plan, new plan |
Member Events
Team member management:
| Event | Description | Details Captured |
|---|---|---|
member.invited | Invitation sent | Email, role, inviter |
member.joined | Member accepted invite | User, role |
member.role_changed | Role updated | User, old role, new role |
member.removed | Member removed | User, remover, reason |
Project Events
Project-related activities:
| Event | Description | Details Captured |
|---|---|---|
project.created | New project created | Name, creator, account |
project.updated | Project modified | Changed fields |
project.archived | Project archived | User, reason |
project.restored | Project restored | User |
project.deleted | Project deleted | User, deletion type |
Asset Events
Asset management activities:
| Event | Description | Details Captured |
|---|---|---|
asset.created | New asset created | Type, project, creator |
asset.updated | Asset modified | Changed fields |
asset.deleted | Asset deleted | User, reason |
asset.location_changed | Location updated | Old/new coordinates |
Data Access Events
Sensitive data access:
| Event | Description | Details Captured |
|---|---|---|
data.exported | Data export requested | Export type, user |
data.downloaded | File downloaded | File type, user |
api.key_created | API key generated | Key name, permissions |
api.key_revoked | API key revoked | Key name, reason |
Accessing Audit Logs
In the Dashboard
Access audit logs through the Global Watch dashboard:
- Navigate to Settings → Audit Logs
- Use filters to narrow down results
- Export logs for external analysis
Via API
Retrieve audit logs programmatically:
curl -X GET "https://api.global.watch/v1/audit-logs" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"start_date": "2024-01-01",
"end_date": "2024-01-31",
"event_type": "auth.login",
"limit": 100
}'Response Format
Audit log entries follow this structure:
{
"id": "log_abc123",
"event_type": "project.created",
"actor": {
"id": "user_xyz789",
"email": "john@example.com",
"name": "John Doe"
},
"target": {
"type": "project",
"id": "proj_def456",
"name": "Amazon Reserve"
},
"context": {
"ip_address": "192.168.1.1",
"user_agent": "Mozilla/5.0...",
"location": "São Paulo, BR"
},
"metadata": {
"account_id": "acc_ghi789",
"changes": {
"name": {
"old": null,
"new": "Amazon Reserve"
}
}
},
"timestamp": "2024-01-15T10:30:00Z"
}Filtering & Search
Available Filters
Filter audit logs by various criteria:
| Filter | Description | Example |
|---|---|---|
event_type | Type of event | auth.login |
actor_id | User who performed action | user_xyz789 |
target_type | Type of affected resource | project |
target_id | Specific resource ID | proj_abc123 |
start_date | Events after this date | 2024-01-01 |
end_date | Events before this date | 2024-01-31 |
ip_address | Source IP address | 192.168.1.1 |
Search Examples
Common search scenarios:
# Find all login attempts for a user
GET /audit-logs?actor_id=user_xyz&event_type=auth.login
# Find all changes to a specific project
GET /audit-logs?target_id=proj_abc123
# Find all admin actions in the last week
GET /audit-logs?event_type=member.*&start_date=2024-01-08
# Find failed login attempts from an IP
GET /audit-logs?event_type=auth.login_failed&ip_address=192.168.1.1Retention & Storage
Retention Periods
Audit logs are retained based on your plan:
| Plan | Retention Period | Export Options |
|---|---|---|
| Free | 30 days | CSV |
| Pro | 1 year | CSV, JSON |
| Enterprise | 2+ years | CSV, JSON, SIEM integration |
Long-Term Storage
For compliance requirements exceeding standard retention:
- Export Regularly: Schedule automatic exports
- SIEM Integration: Stream logs to your SIEM (Enterprise)
- Custom Retention: Extended retention available (Enterprise)
Compliance Use Cases
SOC 2 Compliance
Audit logs support SOC 2 requirements:
- Access Control: Track who accessed what and when
- Change Management: Document all system changes
- Incident Response: Investigate security events
GDPR Compliance
Support GDPR accountability requirements:
- Data Access Tracking: Log all personal data access
- Consent Records: Track consent changes
- Data Subject Requests: Document request handling
Internal Audits
Support internal audit processes:
- User Activity Review: Regular access reviews
- Permission Changes: Track role modifications
- Data Exports: Monitor data extraction
Security Considerations
Log Integrity
Audit logs are protected against tampering:
- Immutable: Logs cannot be modified after creation
- Checksums: Cryptographic verification available
- Timestamps: Server-side timestamps prevent manipulation
Access Control
Audit log access is restricted:
- Role-Based: Only admins can view full logs
- Self-Service: Users can view their own activity
- API Access: Requires specific permission
Best Practices
Regular Review
Recommended Review Schedule
- Daily: Failed login attempts, API key usage
- Weekly: Member changes, permission updates
- Monthly: Full audit log review, export for archives
Alert Configuration
Set up alerts for critical events:
- Multiple Failed Logins: Potential brute force attack
- Admin Actions: Track privileged operations
- Data Exports: Monitor bulk data access
- API Key Creation: Track new integrations
Export Strategy
Maintain audit log archives:
- Schedule Exports: Weekly or monthly exports
- Secure Storage: Store exports in secure location
- Retention Policy: Define archive retention period
- Access Control: Limit who can access archives
API Reference
List Audit Logs
GET /v1/audit-logsParameters:
| Parameter | Type | Description |
|---|---|---|
start_date | string | Start of date range (ISO 8601) |
end_date | string | End of date range (ISO 8601) |
event_type | string | Filter by event type |
actor_id | string | Filter by actor user ID |
target_type | string | Filter by target resource type |
target_id | string | Filter by target resource ID |
limit | integer | Maximum results (default: 50, max: 1000) |
cursor | string | Pagination cursor |
Export Audit Logs
POST /v1/audit-logs/exportRequest Body:
{
"format": "csv",
"start_date": "2024-01-01",
"end_date": "2024-01-31",
"event_types": ["auth.*", "project.*"]
}Related Documentation
- Security - Security measures and practices
- Data Protection - Privacy and GDPR compliance
- API Authentication - API security details