Audit Logging
SyVault records every significant action within your organization in a tamper-evident audit log. The audit log provides visibility into who did what, when, and from where -- without ever exposing plaintext vault data.
What Is Logged
Every auditable event is captured with a structured record. The following action types are tracked:
Authentication Events
| Action | Description |
|---|---|
user.login | Successful login |
user.login.failed | Failed login attempt (wrong password, expired 2FA, etc.) |
user.logout | User-initiated logout |
user.2fa.enable | Two-factor authentication enabled |
user.2fa.disable | Two-factor authentication disabled |
Vault Events
| Action | Description |
|---|---|
record.create | New record created |
record.update | Existing record modified |
record.delete | Record deleted |
record.view | Record decrypted and viewed (Business/Enterprise only) |
vault.export | Vault data exported |
Sharing Events
| Action | Description |
|---|---|
share.create | One-time share link created |
share.access | One-time share link accessed by recipient |
share.expire | Share link expired or was revoked |
Organization Events
| Action | Description |
|---|---|
member.invite | Invitation sent to a new member |
member.accept | Member accepted an invitation |
member.remove | Member removed from organization |
member.role.update | Member's role changed |
team.create | New team created |
team.update | Team membership or settings changed |
team.delete | Team deleted |
policy.update | Enforcement policy changed |
sso.configure | SSO settings updated |
scim.token.generate | SCIM provisioning token generated |
Log Entry Structure
Every audit log entry contains the following fields:
{
"id": "evt_8f3a1b2c4d5e6f70",
"timestamp": "2026-04-06T14:32:01.847Z",
"action": "record.update",
"actor": {
"user_id": "usr_a1b2c3d4e5f6",
"email": "alice@acme.com"
},
"target_type": "record",
"target_id": "rec_9g8h7i6j5k4l",
"ip_address": "203.0.113.42",
"user_agent": "SyVault/2.4.1 (Chrome Extension)",
"org_id": "org_m3n4o5p6q7r8"
}
Audit logs never contain plaintext record data. The target_id identifies which record was affected, but the record's contents remain encrypted and inaccessible to anyone without the appropriate decryption keys.
Viewing Audit Logs
Navigate to Admin Console > Audit Log to access the log viewer. The interface supports:
- Date range filtering -- select a start and end date to narrow results.
- Action type filtering -- filter by one or more action types (e.g., show only
user.login.failedevents). - Actor filtering -- search by user email or ID to see all actions performed by a specific member.
- Target filtering -- search by target ID to see all events related to a specific record, team, or policy.
- Free-text search -- search across all fields.
Results are displayed in reverse chronological order with pagination (50 events per page).
Retention
Audit logs are retained for 90 days on all plans that include audit logging (Business and Enterprise). After 90 days, log entries are permanently deleted.
For retention beyond 90 days, export your logs regularly or configure a SIEM integration to stream events in real time to your own infrastructure where you control the retention policy.
Exporting Logs
Click Export in the Audit Log tab to download log entries as CSV or JSON. You can apply filters before exporting to limit the data to the relevant time range and event types. Exports include all fields shown in the log entry structure above.