Audit Logs

Audit logs provide a detailed record of actions taken within your organization. Use them for security monitoring, compliance, and troubleshooting.

Overview

Teabar logs administrative and operational events:

• Authentication Events - Logins, logouts, failed attempts
• Member Actions - Invites, role changes, removals
• Environment Operations - Create, start, stop, delete
• API Key Usage - Creation, revocation, API calls
• Configuration Changes - Organization and project settings
• Blueprint Operations - Create, update, publish

Viewing Audit Logs

Via Web Console

1. Go to Organization Settings > Audit Logs
2. Use filters to narrow results:
   • Date range
   • Actor (who performed the action)
   • Action type
   • Resource type
3. Click entries for details

Via CLI

# List recent events
teactl activity list --type audit

# Filter by actor
teactl activity list --type audit --actor [email protected]

# Filter by action
teactl activity list --type audit --action member.invite

# Filter by date range
teactl activity list --type audit --since 2024-03-01 --until 2024-03-10

# Export to JSON
teactl activity list --type audit -o json > audit-log.json

Event Types

Authentication Events

Member Events

Environment Events

Organization Events

Event Details

Each audit event includes:

Example Event

{
  "id": "evt_abc123",
  "timestamp": "2024-03-10T14:30:00Z",
  "actor": {
    "type": "user",
    "id": "user_xyz",
    "email": "[email protected]"
  },
  "action": "member.invited",
  "resource": {
    "type": "invitation",
    "id": "inv_def456"
  },
  "details": {
    "invitee_email": "[email protected]",
    "role": "member"
  },
  "ip_address": "192.168.1.100",
  "user_agent": "teactl/1.2.0"
}

Log Retention

Retention periods vary by plan:

Tamper-Evident Security

Teabar audit logs are cryptographically secured to ensure integrity and support compliance requirements.

How It Works

┌─────────────┐     ┌─────────────┐     ┌─────────────┐
│  Entry N-1  │────►│   Entry N   │────►│  Entry N+1  │
│             │     │             │     │             │
│ hash: abc.. │     │ prev: abc.. │     │ prev: def.. │
│ signature   │     │ signature   │     │ signature   │
└─────────────┘     └─────────────┘     └─────────────┘

Security guarantees:

1. Each entry includes hash of previous entry (chain)
2. Each entry is individually signed with Ed25519
3. Chain breaks are detectable
4. Signatures prevent modification

Verify Log Integrity

# Verify recent logs
teactl audit verify --since 7d

# Full verification with report
teactl audit verify --from 2024-01-01 --to 2024-03-31 --full

# Output:
# Verifying audit log integrity for my-company
# 
# Entries verified: 15,234
# Chain integrity: ✓ Valid
# Signatures: ✓ All valid (3 signing keys used)
# Gaps detected: 0
# 
# Verification completed successfully.

Signing Keys

Audit logs are signed with Ed25519 keys stored in OpenBao:

• Keys rotated monthly by default
• Old keys retained for verification
• Key ceremony required for initial setup (Enterprise)

Legal Hold

Prevent deletion of logs for legal/compliance purposes:

# Set legal hold
teactl audit legal-hold set --reason "Investigation 2024-001" --until 2024-12-31

# View active holds
teactl audit legal-hold list

# Remove hold (requires admin)
teactl audit legal-hold remove --id hold_abc123

Exporting Audit Logs

Single Export

# Export last 30 days to JSON
teactl activity list --type audit --since 30d -o json > audit-30d.json

# Export as CSV
teactl activity list --type audit -o csv > audit-log.csv

Continuous Export

For compliance requirements, set up continuous export to external systems:

Webhook Integration:

Configure a webhook to receive events in real-time:

1. Go to Organization Settings > Integrations
2. Click “Add Webhook”
3. Enter your endpoint URL
4. Select event types to receive
5. Save

Events are sent as CloudEvents format:

{
  "specversion": "1.0",
  "type": "dev.teabar.audit.member.invited",
  "source": "teabar.dev/org/acme-corp",
  "id": "evt_abc123",
  "time": "2024-03-10T14:30:00Z",
  "data": {
    // Event details
  }
}

Monitoring and Alerts

Setting Up Alerts

Configure alerts for sensitive actions:

1. Go to Organization Settings > Alerts
2. Click “Create Alert”
3. Select trigger conditions:
   • Action type (e.g., member.removed)
   • Actor filters
   • Frequency thresholds
4. Choose notification method:
   • Email
   • Slack
   • Webhook
5. Save

Common Alert Configurations

Compliance Use Cases

SOC 2

Audit logs support SOC 2 compliance by providing:

• Access logging (who accessed what)
• Change management records
• Security event tracking

GDPR

For data subject requests:

• Export user activity records
• Document data access history
• Track data deletion events

Internal Audits

Regular audit reviews should check:

• Unusual login patterns
• Privilege escalations
• Resource access patterns
• API key usage

Best Practices

Regular Reviews

1. Weekly - Review failed login attempts
2. Monthly - Audit member access and roles
3. Quarterly - Full access review

Monitoring Setup

1. Enable alerts for critical actions
2. Export logs to SIEM for correlation
3. Set up dashboards for visibility

Investigation Process

When investigating incidents:

1. Identify the timeframe
2. Filter logs by actor or resource
3. Build timeline of events
4. Correlate with other sources
5. Document findings

Troubleshooting

Missing Events

• Check retention period
• Verify filter criteria
• Ensure events fall within date range

Export Failures

• Check API key permissions
• Verify network connectivity
• Try smaller date ranges

Webhook Not Receiving

• Verify endpoint URL
• Check webhook secret
• Review endpoint logs for errors

See Also

• API Keys - API key management
• Members - Member management
• Activity Tracking - Participant activity