Audit log
The cabinet audit log records every authenticated request hitting the CMDOP backend — REST calls, WebSocket frames, gRPC events. It is the request-level companion of the activity log.
Cabinet audit vs workspace activity log
Both logs are append-only; they cover different layers:
| Log | Granularity | Captures |
|---|---|---|
| Activity log | Admin events | Membership, billing, machine ops, schedule edits. |
| Audit log (this) | Per request | Every authenticated REST / WebSocket / gRPC request. |
Together, they answer “who did what” at the human level (activity) and “what hit the API” at the wire level (audit).
Event taxonomy
Audit events bucket into:
- auth — login, logout, token issuance, session refresh.
- machine — register, deregister, rename, retag, move workspace.
- session — open, attach, send-input, send-signal, close.
- schedule — create, update, run, cancel.
- billing — plan change, payment success / failure, top-up.
- permission change — workspace role updates, per-machine access edits.
- share-link issued — guest tokens minted from sessions or machines.
Filtering and time-travel
Filter by:
- Actor — member, API token, or system.
- Event type — see taxonomy above.
- Machine — narrow to events touching one host.
- Date range — within retention.
Search supports request IDs (handy when correlating with daemon logs).
Per-event detail
Each entry exposes:
- Request ID (UUID).
- Source IP.
- User agent.
- Payload diff (where applicable; sensitive fields redacted).
- Auth method (OAuth, API key, share link).
- Response code and duration.
Exporting
Two routes:
- Manual — CSV or JSON for the active filter view.
- Streaming — workspace webhook integration ships every event in real time. Useful for SIEM ingestion (Splunk, Datadog, Sumo).
Webhook payloads are HMAC-signed; configure the secret under Workspace settings → Integrations.
Retention
Retention varies by plan (30 days personal, up to 365 days team, custom on Enterprise). For longer retention, ship events to your own log store via the webhook integration.
The audit log is immutable. Even Owners cannot edit or delete entries. This is intentional — auditors expect it.
Where this data lives
Backed by the Django activity app and rendered by apps/my/.../dashboard/activity/.
Related
- Activity log — admin-event-shaped sibling log.
- Workspace settings — webhook integrations.
- Concepts: permissions — agent-side audit lives on the machine.