Audit Logging
TwinEdge Enterprise provides comprehensive audit logging for compliance, security, and operational visibility.
Enterprise Feature
Full audit logging and export capabilities are available on Enterprise plans. Professional plans include basic activity logs.
Overview
Audit logs capture:
- User actions: Login, data access, configuration changes
- System events: API calls, service events, alerts
- Security events: Authentication failures, permission changes
- Data access: Who accessed what data, when
Viewing Audit Logs
Audit Log Dashboard
- Go to Settings → Audit Log
- View recent events in timeline
- Use filters to narrow results
Log Entry Details
Each log entry includes:
{
"id": "log-123456",
"timestamp": "2026-01-06T10:30:00Z",
"actor": {
"id": "user-789",
"email": "john@company.com",
"type": "user"
},
"action": "dashboard.update",
"resource": {
"type": "dashboard",
"id": "dash-456",
"name": "Production Overview"
},
"result": "success",
"ip_address": "192.168.1.100",
"user_agent": "Mozilla/5.0...",
"changes": {
"before": {"name": "Overview"},
"after": {"name": "Production Overview"}
}
}
Event Categories
Authentication Events
| Event | Description |
|---|---|
auth.login | User logged in |
auth.logout | User logged out |
auth.login_failed | Failed login attempt |
auth.password_reset | Password reset requested |
auth.mfa_enabled | MFA enabled |
auth.sso_login | SSO authentication |
User Management Events
| Event | Description |
|---|---|
user.created | New user created |
user.updated | User profile updated |
user.deleted | User deleted |
user.role_changed | User role modified |
user.invited | User invitation sent |
Data Access Events
| Event | Description |
|---|---|
data.query | Data query executed |
data.export | Data exported |
data.view | Dashboard/report viewed |
data.download | File downloaded |
Configuration Events
| Event | Description |
|---|---|
datasource.created | Data source added |
datasource.updated | Data source modified |
datasource.deleted | Data source removed |
dashboard.created | Dashboard created |
dashboard.updated | Dashboard modified |
dashboard.deleted | Dashboard deleted |
alert.created | Alert rule created |
alert.updated | Alert rule modified |
alert.deleted | Alert rule deleted |
Security Events
| Event | Description |
|---|---|
apikey.created | API key generated |
apikey.revoked | API key revoked |
role.created | Custom role created |
role.updated | Role permissions changed |
permission.changed | User permissions modified |
Fleet & OTA Events
| Event | Description |
|---|---|
device.registered | Device registered |
device.command | Command sent to device |
ota.deployment_created | OTA deployment started |
ota.deployment_completed | OTA deployment finished |
ota.rollback | Rollback initiated |
Filtering & Search
Basic Filters
| Filter | Options |
|---|---|
| Time Range | Last hour, 24h, 7d, 30d, custom |
| Actor | Specific user or "System" |
| Action | Event type |
| Result | Success, failure, error |
| Resource Type | Dashboard, data source, user, etc. |
Advanced Search
Use query syntax for complex searches:
actor.email:john@company.com AND action:dashboard.* AND result:success
resource.type:datasource AND timestamp:[2026-01-01 TO 2026-01-31]
ip_address:192.168.1.* AND action:auth.login_failed
Saved Searches
Save frequently used searches:
- Configure filters
- Click Save Search
- Name the search
- Access from Saved Searches dropdown
Export & Integration
Manual Export
Export audit logs for analysis:
- Configure filters
- Click Export
- Choose format:
- CSV: For spreadsheets
- JSON: For programmatic processing
- PDF: For reports
- Download file
Scheduled Exports
Automate audit log exports:
- Go to Settings → Audit Log → Scheduled Exports
- Click Create Schedule
- Configure:
- Frequency: Daily, weekly, monthly
- Format: CSV, JSON
- Destination: Email, S3, SFTP
- Save schedule
SIEM Integration
Forward audit logs to your SIEM:
Splunk
splunk:
enabled: true
hec_url: https://splunk.company.com:8088
hec_token: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
index: twinedge_audit
source_type: twinedge:audit
Elastic/ELK
elasticsearch:
enabled: true
hosts:
- https://elastic.company.com:9200
index: twinedge-audit
api_key: xxxxxxxxxxxxxxxxxx
Generic Webhook
webhook:
enabled: true
url: https://your-siem.com/api/events
headers:
Authorization: Bearer YOUR_TOKEN
batch_size: 100
flush_interval_seconds: 60
API Access
Query audit logs programmatically:
GET /api/v1/audit/logs?
start=2026-01-01T00:00:00Z&
end=2026-01-07T00:00:00Z&
action=auth.*&
limit=100
Authorization: Bearer YOUR_API_KEY
Response:
{
"data": [
{
"id": "log-123",
"timestamp": "2026-01-06T10:30:00Z",
"actor": {...},
"action": "auth.login",
"result": "success"
}
],
"meta": {
"total": 1500,
"page": 1,
"per_page": 100
}
}
Retention & Compliance
Retention Periods
| Tier | Retention |
|---|---|
| Professional | 90 days |
| Enterprise | 1 year (configurable) |
Extended Retention
Enterprise customers can configure:
- Standard: 1 year
- Extended: 3 years
- Compliance: 7 years
Additional storage fees may apply.
Compliance Standards
Audit logging helps with:
| Standard | How TwinEdge Helps |
|---|---|
| SOC 2 | Complete access logging |
| ISO 27001 | Security event tracking |
| GDPR | Data access records |
| HIPAA | PHI access logging |
| FDA 21 CFR Part 11 | Electronic signatures |
Immutability
Audit logs are:
- Write-once (cannot be modified)
- Cryptographically signed
- Stored in tamper-evident format
- Backed up to separate storage
Alerts on Audit Events
Security Alerts
Configure alerts for suspicious activity:
- Go to Settings → Audit Log → Alerts
- Create alert rules:
Multiple Failed Logins:
{
"name": "Brute Force Detection",
"condition": "auth.login_failed > 5 in 10 minutes",
"group_by": "actor.email",
"severity": "critical",
"notify": ["security@company.com"]
}
Unusual Data Export:
{
"name": "Large Data Export",
"condition": "data.export AND metadata.row_count > 100000",
"severity": "warning",
"notify": ["compliance@company.com"]
}
Admin Actions:
{
"name": "Admin Activity",
"condition": "action:role.* OR action:user.deleted",
"severity": "info",
"notify": ["admin@company.com"]
}
Real-time Notifications
Receive alerts via:
- Slack
- Microsoft Teams
- PagerDuty
- Custom webhook
Best Practices
Security Monitoring
- Monitor failed logins: Alert on brute force attempts
- Track admin actions: Review all elevated privilege usage
- Watch data exports: Monitor for unusual data access
- Review API key usage: Track automated access patterns
Compliance Auditing
- Regular reviews: Weekly review of security events
- Access reviews: Monthly review of data access patterns
- Change tracking: Document all configuration changes
- Retention management: Ensure logs meet compliance requirements
Operational Visibility
- Track deployments: Monitor OTA and configuration changes
- User activity: Understand usage patterns
- Error tracking: Identify recurring issues
- Performance insights: Correlate with system metrics
Troubleshooting
Missing Logs
If expected logs aren't appearing:
- Check time range filter
- Verify event category is logged
- Check for indexing delays (up to 5 min)
- Contact support if persists
Export Failures
If exports fail:
- Check destination connectivity
- Verify credentials/permissions
- Check export size limits
- Review error messages
SIEM Integration Issues
If SIEM isn't receiving logs:
- Verify endpoint URL
- Check authentication
- Test with curl/Postman
- Review firewall rules
API Reference
Query Audit Logs
GET /api/v1/audit/logs
Authorization: Bearer YOUR_API_KEY
Query Parameters:
- start: ISO8601 timestamp
- end: ISO8601 timestamp
- actor: User ID or email
- action: Event type pattern
- resource_type: Resource type
- result: success|failure
- limit: Max results (default 100)
- offset: Pagination offset
Get Log Entry
GET /api/v1/audit/logs/{id}
Authorization: Bearer YOUR_API_KEY
Export Logs
POST /api/v1/audit/logs/export
Authorization: Bearer YOUR_API_KEY
Content-Type: application/json
{
"start": "2026-01-01T00:00:00Z",
"end": "2026-01-31T23:59:59Z",
"format": "csv",
"filters": {
"action": "auth.*"
}
}
Next Steps
- SSO Configuration - Authentication logging
- RBAC & Permissions - Permission change tracking
- Multi-Region - Regional data compliance