Audit Trail
ZITADEL provides you with an built-in audit trail to track all changes and events over an unlimited period of time. Most other solutions replace a historic record and track changes in a separate log when information is updated. ZITADEL only ever appends data in an Eventstore, keeping all historic record. The audit trail itself is identical to the state, since ZITADEL calculates the state from all the past changes.
This form of audit log has several benefits over storing classic audit logs. You can view past data in-context of the whole system at a single point in time. Reviewing a past state of the application can be important when tracing an incident that happened months back. Moreover the eventstore provides a truly complete and clean audit log.
Accessing the Audit Log
Last changes of an object
You can check the last changes of most objects in the Console. In the following screenshot you can see an example of last changes on an user. The same view is available on several other objects such as organization or project.
Event View
Administrators can see all events across an instance and filter them directly in Console. Go to your instance settings and then click on the Tab Events to open the Event Viewer or browse to $YOUR_DOMAIN/ui/console/events
Event API
Since everything that is available in Console can also be called with our APIs, you can access all events and audit data trough our APIs:
Access to the API is possible with a Service User account, allowing you to integrate the events with your own business logic.
Using logs in external systems
You can use the Event API to pull data and ingest it in an external system.
Actions can be used to write events to the stdout and process the events as logs. Please refer to the zitadel/actions repository for a code sample. You can use your log processing pipeline to parse and ingest the events in your favorite analytics tool.
It is possible to send events directly with an http request to an external tool. We don't recommend this approach since this would create back-pressure and increase the overall processing time for requests.
At this moment Actions can be invoked on certain events, but not generally on every event.
This is not a technical limitation, but a feature on our backlog.
Future plans
There will be three major areas for future development on the audit data
- Metrics and standard reports
- Feedback loop and threat detection
- Forensics and replay of events