Audit Log
The Audit Log (/audit-log) is the system-wide record of every operator action that mutated state in a monitored service. Pause a listener, replay a DLQ batch, hard-delete a tenant — it lands here, signed with the operator's identity and the parameters of the action.
This is the page you open when production is acting weird and you need to know who did what, when.
Filters
The filter row at the top of the page narrows the table to a subset of entries.
| Filter | Effect |
|---|---|
| All Services dropdown | Restrict to actions targeting one service |
| All Actions dropdown | Restrict to one action type (e.g. HardDeleteTenant) |
| Search | Free-text search against details, target URI, action name, and service name |
Service and Action filters re-fetch from the server (the search box filters the already-loaded page in-memory). Filters do not persist across reloads.
Table
| Column | Meaning |
|---|---|
| Timestamp | Relative time (e.g. 12m ago) — tooltip shows the absolute timestamp |
| Action | Action type, rendered as a colored badge (see badge-colour mapping below) |
| Service | The service the action targeted |
| Target | Optional target URI (endpoint URI, projection shard, tenant id, etc.) |
| Details | Free-form description |
| Parameters | "Show (N)" button if the action carried structured parameters; click to expand a key=value list under the row |
| User | Initiated-by identity |
Action Categories
Every action belongs to one of six categories, used for badge colouring and quick filtering by intent:
| Category | Actions in this category | Badge colour |
|---|---|---|
dlq | ReplayDlq, DiscardDlq | Orange |
listener | PauseListener, RestartListener | Blue |
projection | RebuildProjection, RewindSubscription | Purple |
alert | ClearAlert | Green |
tenant | AddTenant, RemoveTenant, HardDeleteTenant, DisableTenant, EnableTenant | Teal |
config | EditScheduledMessage, UpdateEndpointConfig, PushAgentThresholds, others | Grey |
The mapping lives in src/FrontEnd/src/composables/useAuditLog.ts (actionCategory() and actionBadgeColor()).
HardDeleteTenant Entries
The new HardDeleteTenant action type is logged with extra parameters captured at the moment of confirmation:
| Parameter | Meaning |
|---|---|
tenantId | The exact tenant id the operator typed |
databaseUri | The database that was dropped |
confirmedAt | Wall-clock time of the typed-id confirmation |
Click "Show (3)" on a HardDeleteTenant row to expand these. Audit entries for hard deletes are intentionally verbose because the action is irreversible; the parameters block lets you reconstruct the exact state at the moment of click.
Pagination
Bottom of the page. Page sizes 25 / 50 / 100. Server-side cap is 500 entries per fetch — the audit log is intended for recent forensic work, not long-term archival. For longer retention, configure the AuditLogRetentionDays value in Settings → Data Retention (default: 30 days).
Auto-Refresh
The "Auto-Refresh Off" / "Auto-Refresh On" toggle in the header polls every 10 seconds when enabled. Auto-refresh is off by default — the audit log doesn't change frequently and the display would jitter on every poll. Turn it on if you're following a coordinated incident in real time.
Refresh
Manual refresh button next to the auto-refresh toggle. Re-fetches with the current filters applied.
API
The audit table is backed by GET /api/critterwatch/audit-log with optional ?service= and ?action= query parameters. Operators with shell access can query the same data directly with curl for offline analysis or scripted exports. The default fetch limit is 500 rows.