Audit Log
Track all user and system actions across your Velnoro team with an immutable, searchable audit trail.
The Audit Log records every significant action taken in your Velnoro team: scans triggered, connections created, policies changed, people imported, and more. It provides an immutable audit trail for compliance, security reviews, and change tracking.
Prerequisites
- Account role: Owner or Admin (requires the "Manage" permission)
- At least one completed action (scan, connection creation, etc.) to see entries
Getting Started
Navigate to Audit Log in the Admin section of the sidebar. You'll see a chronological table of all recorded events, newest first.
Key Concepts
- Immutable records: Audit log entries cannot be edited or deleted. Once an event is recorded, it is permanent. This is enforced at the database level.
- Non-blocking writes: If an audit write fails for any reason, it logs a warning but never blocks the parent operation. Your workflows are never interrupted by audit system issues.
- Actor types: Each entry records who performed the action: user (a team member), system (automated processes like scheduled scans), or api (API-triggered actions).
- Details payload: Each entry includes a JSON details field with action-specific data such as old/new values, reasons, counts, or configuration changes.
What Gets Tracked
| Category | Events |
|---|---|
| Scans | Scan triggered, scan completed |
| Connections | Connection created, connection tested, connection deleted |
| People | People imported (with row counts), person status changed, maker tier assigned |
| Policies | Connector policy created, updated, deleted (with old/new values) |
| Scheduling | Scan schedule updated (cadence changes) |
| Admin Operations | Scan cancelled, connection paused, connection resumed |
Reading the Audit Log
The audit log table shows five columns:
| Column | Description |
|---|---|
| Timestamp | When the event occurred (date and 24-hour time) |
| Action | What happened, shown as a color-coded badge. Green for created/triggered events, red for deleted events, gray for completed events. |
| Entity | What was affected: the entity type (scan, connection, policy, etc.) and a truncated entity ID |
| Actor | Who performed the action. Shows actor type badge (purple for system, blue for API, default for user) and actor ID |
| Details | Key-value pairs from the event payload. Shows up to three pairs with a "+N more" indicator if there are additional fields. |
Filtering and Search
Use the filter bar above the table to narrow results:
- Action dropdown - Filter by specific action type (e.g., "scan.triggered", "policy.created")
- Entity Type dropdown - Filter by entity category (e.g., "scan", "connector_policy", "connection")
- Search box - Free-text search across action and entity type fields
- Date range - Set a From and To date to view events within a specific time window
- Clear button - Reset all filters and return to the full unfiltered view
Filters can be combined. For example, filter by "policy.deleted" action within the last 7 days to review recent policy removals.
The table displays 50 entries per page. Use the Previous/Next buttons to navigate through results. The entry count shows your current position (e.g., "1-50 of 142 entries").
Exporting
Click the Export CSV button to download the current audit log as a CSV file. The export includes all entries matching your current filters.
The CSV file contains: Timestamp, Action, Entity Type, Entity ID, Actor Type, Actor ID, and Details (as JSON). The filename includes the current date (e.g., audit-log-2026-03-08.csv).
Common Tasks
Investigating a Specific Change
- Navigate to Audit Log
- Use the Entity Type dropdown to filter by the type of resource (e.g., "connector_policy")
- Optionally narrow the date range
- Review the Details column for old/new values and reasons
Reviewing Scan History
- Filter by Action: "scan.triggered" or "scan.completed"
- The Details column shows scan metadata (asset counts, duration, connection info)
- Cross-reference with the Scans page for full scan status and results
Preparing a Compliance Report
- Set the Date range to the reporting period
- Review all entries for the period
- Click Export CSV to download the data
- Use the CSV in your compliance reporting tools or attach to audit documentation
Tracking Policy Changes
- Filter Entity Type to "connector_policy"
- Review created, updated, and deleted policy events
- The Details field shows what changed (old status vs. new status, reason text)
- See the Governance guide for more on managing connector policies
Troubleshooting
| Symptom | Cause | Fix |
|---|---|---|
| Audit log page shows upgrade prompt | Account is on Discovery (free) tier | Audit Log requires a Pro Trial or Business subscription |
| No entries visible | No actions have been recorded yet | Run a scan or create a connection. Audit entries appear automatically. |
| Missing entries for a known action | Audit write failed silently | Audit writes are non-blocking and log warnings on failure. Check server logs if entries are consistently missing. |
| Search returns no results | Search terms don't match action or entity type text | Search matches against the action name (e.g., "scan.triggered") and entity type (e.g., "connection"). Try shorter terms. |
| Export CSV is empty | Filters are too restrictive | Clear all filters and try the export again |
FAQ
Q: Can audit log entries be deleted? No. The audit log is append-only by design. Entries cannot be edited or deleted, even by team owners. This ensures the integrity of your audit trail.
Q: How long are audit log entries retained? For the lifetime of your account. There is no automatic purge or retention limit.
Q: Who can view the audit log? Team Owners and Admins (anyone with the "Manage" permission). Members with read-only access cannot view the audit log.
Q: Does the audit log capture who made changes? Yes. Every entry records the actor: either a specific user (by ID), "system" for automated actions like scheduled scans, or "api" for API-triggered operations.
Q: What happens to audit entries when a team member is removed? Nothing. All audit log entries created by that user are permanently preserved. The actor ID remains in the record for historical attribution even after the user is no longer a team member. This is enforced at the database level: the audit log only supports INSERT and SELECT, never DELETE or UPDATE.
Q: Are failed operations logged? Scan completions and failures are both logged. For other operations, only successful actions generate audit entries. If a policy creation fails due to a validation error, no audit entry is created.