Introducing the Audit Trail

Audit Trail

Administrators of any type of application need an easy way of staying on top of user activity. They need to have an easy way to monitor who accessed the system and what activity they performed. This control is necessary both for internal purposes as well as complying with external certification programs. is no exception to this rule, and we are happy to announce that we have added a new Audit Trail feature to our hosted ELK-as-a-Service platform!

Audit Trail

Audit Trail tracks user activity in your account, recording actions like logging in, saving a search, creating an alert, adding a user, updating a dashboard, etc (a full list of audited actions is available below).

These actions are displayed together with the user ID and name, date and time, and server IP in an easy-to-read table accessed via the Settings page in the UI.  


You can filter the Audit Trail using these fields or select a specific time frame to help drill down into specific activity.

Time Frame

Users also have the option to decide which column to display in the table as well as sorting the Date & Time column in ascending or descending order.


The Audit Trail can also be exported as an .CSV file, helping you save and share the information if necessary. To export the information, simply click the CSV download button. 


Audited Actions 

For your reference, here is a partial list of the activity audited by this feature: 

  • Login  
  • Failed login  
  • Changed password 
  • Reset password 
  • Added user  
  • Updated user role  
  • Deleted user  
  • Admin changed permissions for support access  
  • User saved an object (visualization/dashboard/search)  
  • User deleted an object  
  • User installed an ELK app  
  • Admin created a sub account  
  • Admin updated a sub account  
  • Admin deleted a sub account  
  • User created a token  
  • User updated a token 
  • User deleted a token  
  • User created a token filter  
  • User updated a token filter  
  • User deleted a token filter  
  • User created an alert  
  • User updated an alert  
  • User deleted an alert  
  • User created an endpoint  
  • User updated an endpoint  
  • User deleted an endpoint  
  • User created a bucket  
  • User updated a bucket  
  • User deleted a bucket 
  • User created S3 archiving  
  • User updated S3 archiving  
  • User deleted S3 archiving  
  • Customer Success made authorized changes in the account  
  • User created a sawmill configuration with Data Parsing  
  • User updated a sawmill configuration with Data Parsing  
  • User updated field mapping 

As always, we want your feedback! So if you have any ideas or questions on this feature, let us know:  

Happy auditing!

Get started for free

Completely free for 14 days, no strings attached.