Audit Log

Every state-changing action in Vygl produces an audit-log entry. Triage decisions, member invites, role changes, integration setup, custom rule edits, scan submissions, API key creation — all logged with the actor, timestamp, target resource, HTTP context, and a structured event payload. Useful for compliance reviews, post-incident reconstruction, and detecting abuse.

What’s recorded

Each entry includes:

Field	Example
action	finding.status_change, member.invite, integration.create
actor (user or API key)	The user ID or key prefix
auth_type	jwt, api_key, mcp
resource_type / resource_id	The thing being mutated (finding, member, rule, …)
org_id	Always present — every entry is org-scoped
ip_address	The request IP
user_agent	The client that made the request
http_method / http_path / status_code	Full request context
details	Structured JSON specific to the action (old value, new value, reason, …)
created_at	UTC timestamp

Vygl ships with 200+ distinct action types covering auth, organizations, members, projects, scans, findings, rules, integrations, memory, and admin actions.

Querying

The audit log is admin-only. Filters:

• Action category — auth.*, finding.*, scan.*, project.*, org.*, rule.*, integration.*, memory.*, admin.*
• Actor — by user ID or API key prefix
• Date range
• Path / method — useful for tracking specific endpoints
• Status code — 4xx / 5xx for failure analysis

For org admins, the audit log surfaces in Settings → Audit Log. Superadmins have access to a broader view across all orgs.

Append-only by design

Audit entries are append-only — there’s no API to edit or delete them. This is intentional: the audit log’s value as a compliance artifact comes from immutability. To remove an entry, ops would need direct database access plus a paper trail.

Common queries

Who marked these findings false-positive?

Filter action = finding.status_change, group by actor, look for spikes. False-positive abuse — a user mass-marking findings FP to silence them — is trivially detectable from this query.

Did this API key do anything unexpected?

Filter by the key’s prefix in actor. The full request history of a key is reconstructable from the log.

Who set up the Slack integration?

Filter action = integration.create, details.provider = slack.

Retention

Audit entries are retained indefinitely — there’s no automated pruning. Retention is implemented as “the row is never deleted”, not as a scheduled archive policy.

Don't put secrets in audit details

The details JSONB blob stores structured metadata about each action — old/new values, reasons, etc. Sensitive payloads (API keys, password reset tokens, raw secrets) are explicitly excluded; if you spot one in the log, report it as a bug.

External SIEM forwarding

Vygl doesn’t currently push audit entries to external SIEMs (Splunk, Datadog, etc.) automatically. Customers needing centralized log aggregation should query the audit endpoint on a schedule and ship the results themselves. Native forwarding is on the roadmap.