> ## Documentation Index
> Fetch the complete documentation index at: https://docs.novacula.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Audit log

> Who-did-what record across your organization — filterable, exportable, append-only

The **Audit log** is a who-did-what record of actions taken in your organization: nodes started or deleted, API keys created or revoked, members added or removed, sign-ins, role changes, and more. Each entry names the **actor**, the **action**, the **target** it was performed on, and when it happened. Use it for compliance reviews, security investigations, and *"who changed this?"* questions.

## Open the audit log

In the Dashboard sidebar, open **Audit log**. This page shows the organization-wide feed and is available to **Admins** and **Owners** (and platform admins).

If you're a **Member**, you don't have the sidebar link — you see the events *you* triggered under **My recent activity** on your profile page instead. See [Manage your account](/docs/account/account).

## Audit log vs other activity views

The Dashboard surfaces a few activity views that are easy to confuse:

| View                                                    | Shows                                                           | Reach for it when                     |
| ------------------------------------------------------- | --------------------------------------------------------------- | ------------------------------------- |
| **Audit log**                                           | Actor + action + target, with a timestamp                       | Compliance, security, "who did this?" |
| [Events feed](/docs/notifications/events-feed)          | Lifecycle facts about resources (a node started, sync finished) | Ops triage, "what happened, when?"    |
| [Alerts](/docs/notifications/events-feed) (coming soon) | Conditions you defined, with an open → resolved lifecycle       | Paging on-call, webhook delivery      |

## What each entry shows

| Column     | Content                                                                                                                        |
| ---------- | ------------------------------------------------------------------------------------------------------------------------------ |
| **Time**   | When the action happened.                                                                                                      |
| **Action** | What was done — for example *Node created*, *API key revoked*, *Member added*.                                                 |
| **Actor**  | Who did it (name or email). Links to the user when known.                                                                      |
| **Target** | What it was done to — a node, executor, API key, organization, user, or invitation. Links to that item's page when applicable. |

Open any row to see its full detail panel: a one-line summary, the resolved actor and target, and any extra metadata captured with the action (for example a changed field, a role change, or an invitation's email). Sensitive values such as secrets and API-key material are never stored in an entry.

Entries are **append-only**. There is no edit, delete, or dismiss — an audit entry only ever has a creation time, never a lifecycle.

## Filter and search

Use the filter bar at the top of the log to narrow what you see. Each filter is multi-select and the URL updates as you go, so a filtered view is shareable:

* **Action** — filter by action type (the **Type** filter).
* **Actor** — pick one or more users.
* **Target** — pick one or more nodes, executors, API keys, or other targets.
* **Category** — group by domain: **Auth**, **Security**, **Organization**, **Resource**, **Failure**, **System**, **Other**.
* **Level** — **Info**, **Success**, **Warning**, or **Error**.
* **Date** — on, before, after, or a from/to range.

There's also a free-text **Search activity…** box that matches across the action, actor, target, and entry details. You can group the table by day, actor, target, category, or level, and **Load more** to page through older entries.

## Export to CSV

The full-page log has an **Export** button that downloads the currently visible rows as a CSV (file name `audit-activity-log-<timestamp>.csv`). The export columns are: `ID`, `Occurred at`, `Source`, `Type`, `Title`, `Summary`, `Category`, `Level`, `Actor kind`, `Actor ID`, `Actor label`, `Target kind`, `Target ID`, `Target label`, `Idempotency UUID`, plus the entry's metadata and detail payload as JSON.

Export is available on the full **Audit log** page only. The **My recent activity** view on your profile is a personal slice, not a compliance artefact, so it has no export.

## Who sees what

Visibility is enforced for every request:

| Role                  | Sees                                                                             |
| --------------------- | -------------------------------------------------------------------------------- |
| **Owner** / **Admin** | Every action in the organization, by any member, including each other's.         |
| **Member**            | Only the actions they performed (via **My recent activity** on their profile).   |
| **Platform admin**    | The organization feed, and can read across organizations from the admin console. |

The **My recent activity** view is always scoped to you, regardless of role, and the **Actor** column is hidden there since every entry is your own.

## What gets audited

Actions are grouped into categories. The current set:

* **Resource** — `node.created`, `node.updated`, `node.deleted`, `node.start.requested`, `node.stop.requested`, `node.restart.requested`, `executor.disabled`, `executor.deleted`, `release.created`, `release.updated`, `release.deleted`.
* **Security** — `api_key.created`, `api_key.revoked`, `user.role.changed`, `user.banned`, `user.unbanned`, `user.deleted`, `impersonation.started`, `impersonation.stopped`.
* **Organization** — `organization.created`, `organization.updated`, `organization.deleted`, `organization.member.added`, `organization.member.removed`, `organization.member.suspended`, `organization.member.restored`, `invitation.sent`, `invitation.accepted`, `invitation.revoked`.
* **Auth** — `session.signed_in`, `session.signed_out`, `user.password.changed`, `user.password.reset_requested`, `user.password.reset_completed`, `user.session.terminated`.
* **Other** — `user.registered`, `user.email.verified`.
* **Failure** — `authz.denied` (an action was blocked because the actor lacked permission).

The set grows as new actions ship. An action the Dashboard doesn't yet recognize still appears, with a generated label.

## Permissions

* **Read** the organization audit log — Owners and Admins (and platform admins).
* **Export** the audit log to CSV — same as read.
* **Read your own activity** under **My recent activity** — every signed-in user, scoped to themselves.
* No role can edit, delete, or dismiss an audit entry — the log is append-only.

## Related

* [Events feed](/docs/notifications/events-feed) — the resource-lifecycle counterpart.
* [Manage your account](/docs/account/account) — where to find your **My recent activity** feed.
* [Roles and permissions](/docs/platform/roles-and-permissions) — how each role's reach is defined.
