Audit Log

A complete, tamper-evident record of who changed what, and when. Every mutating request — and every sensitive read of financial or personal data — is logged with the acting user, the entity touched, field-level before/after changes, the outcome, and where it came from. Entries are hash-chained for tamper detection and stored for fast querying, making the audit log the backbone of compliance, discrepancy investigations, and client transparency.

Key capabilities

Automatic logging of every change (create, update, delete) plus sensitive reads (financials, PII, admin)
Rich actor attribution: user, email, advisory firm, session, auth method, and API token (when used)
Field-level before/after change tracking on updates
Pre-computed display values (e.g. "created Invoice #INV-001 for Acme Corp") so the feed renders without extra lookups
Action, entity-type, user, and outcome filters plus full-text search and a date range
Entity history ("who touched this invoice?") and per-user activity views
Daily summaries aggregating activity by user, action, and success/failure
AI anomaly analysis for unusual patterns and segregation-of-duties concerns
Hash chain (entry hash + previous hash + sequence number) for tamper detection
Data-classification tagging (financial, PII, confidential, restricted, …) driving compliance filtering and retention
Anomaly alerts for unusual locations, mass deletions, failed-auth spikes, VPN/Tor, and permission changes
GDPR support: subject-access export of a user's audit trail in JSON and CSV

How it works

DayZero captures every qualifying request, enriches it with entity display details, and hash-chains each entry before storing it, where the activity feed reads from.

flowchart TD
  req["Mutating / sensitive request"] --> mw["Audit capture"]
  mw --> enrich["Enrich: actor, entity, before/after changes"]
  enrich --> chain["Hash chain (entry + previous + sequence)"]
  chain --> logger["Audit logger"]
  logger --> store["Audit store"]
  store --> feed["Activity feed / entity history / AI analysis"]

How to use it

Open Settings → Audit Log (/settings?section=audit-log) to see recent activity (defaulting to the last 30 days).
Narrow with the Action, Entity type, User, and Outcome filters, the date range, or full-text search.
Expand any entry to see the full before/after detail of exactly what changed.
From a record's detail view, use its history to see everyone who touched that specific entity.
Run the AI analysis to surface unusual patterns and segregation-of-duties concerns across the log.
For compliance or a data-subject request, export a user's audit trail (JSON or CSV).

Pro tips

Investigate discrepancies fast by combining a tight date range with an entity type and outcome = failure to isolate what went wrong.
After teammates make bulk changes, scan the log to confirm everything applied — and that nothing failed silently.
Use entity history before reversing an entry so you understand who created and edited it and why.
The hash chain means the log is tamper-evident — treat a chain-verification failure as a security signal, not a glitch.
Watch the anomaly alerts (mass deletion, failed-auth spikes, VPN/Tor) as an early-warning system for account compromise.

In-depth guide

What gets logged

Every change is logged automatically.
Sensitive reads (financial data, PII, admin pages) are logged too.
Entity display details are captured so the feed reads naturally without follow-up queries.

Actions

Actions are grouped by category:

Group	Actions
CRUD	`create`, `read`, `update`, `delete`, `list`, `view`, `search`, `download`
Bulk / IO	`bulk_create`, `bulk_update`, `bulk_delete`, `import`, `export`
Business	`approve`, `reject`, `submit`, `cancel`, `void`, `archive`, `restore`, `send`
Financial	`reconcile`, `post`, `reverse`, `sync`, `refund`
Auth	`login`, `logout`, `login_failed`, `password_change`, `mfa_enable`, `token_create`, `token_revoke`, …
Admin	`impersonate`, `settings_change`, `permission_grant/revoke`
Integration	`connect`, `disconnect`, `webhook_received`, `api_call`
Compliance	`data_export`, `data_delete`, `consent_grant/revoke`

Outcomes

Outcome	Meaning
`success`	Action completed
`failure` / `error`	Action failed
`partial`	Mixed results (batch)
`denied`	Permission denied
`skipped`	No-op / nothing to do
`rate_limited`	Rate limit exceeded
`suspicious`	Flagged as potentially suspicious

Data classification & retention

Each entity type is auto-classified by sensitivity, which drives compliance filtering and retention policy:

Classification	Examples
`financial`	Transactions, invoices, bills, payments, reconciliations, fixed assets
`pii`	Customers, vendors, users
`confidential`	Business settings, advisory firms, bank/Stripe connections
`restricted`	API tokens
`internal`	Products, tags, tasks

Hash chain (tamper detection)

Each entry carries three integrity fields:

Entry hash: a SHA-256 of the entry's content.
Previous hash: the hash of the entry before it.
Sequence number: a monotonic counter.

Together these form a tamper-evident chain: verification recomputes the hashes and confirms the chain is unbroken, so any silent edit or deletion is detectable.

Storage & resilience

Durable: entries are stored for high-throughput writes and fast querying.
Tamper-safe: the hash chain is protected from concurrent corruption.
Reliable: failed writes are retried, and if the audit store is briefly unreachable the system continues — auditing never fails a user request.

Anomaly alerts

DayZero runs detection over the log and dispatches alerts for:

Unusual access locations
Bulk operations / mass deletion
Failed-authentication spikes
VPN/Tor usage
Permission escalation
Sensitive-data access

Alerts carry a severity from informational up to critical.

GDPR / compliance

A subject-access export collects all audit entries for a given user in both JSON and CSV, supporting data-subject access requests and "right to be forgotten" audit trails.

Start free and get a tamper-evident audit trail on everything.