Audit logging
What Scrydon records, how it's stored, who can read it, and how long it lives.
Every sensitive operation in Scrydon produces an immutable audit event. The audit log is the source of record for compliance, incident response, and forensic analysis.
What gets logged
The audit log captures every operation that mutates or reads sensitive state. The action namespace is structured:
SECRET_* Secrets vault — create, update, delete, access
PROVIDER_* Integration provider — create, update, delete, test
RESOURCE_* Generic resources — create, update, delete, access
AUTH_* Authentication events — sign-in, sign-out, failed attempts
EXECUTION_GRANT_* Workflow execution grants — create, bind, expire, revoke
SCIM_* SCIM provisioning — user / group create, update, deactivate
INTEGRATION_* Integration lifecycle — install, uninstall, enable, disable
SECRET_STRATEGY_* Key strategy changes (LOCAL → BYOK → HYOK)
LICENSE_* License application and renewal eventsEach event carries:
| Field | Purpose |
|---|---|
id | Stable event ID |
action | The action namespace token (e.g. SECRET_ACCESS) |
resourceType | The kind of resource affected (secret, workflow, kb_document, …) |
resourceId | The specific resource ID |
actorId | The user or service that performed the action |
organizationId | The organisation scope |
metadata | A structured payload with action-specific context (always redacted of values) |
ipAddress | Caller IP — configurable, captured by default |
userAgent | Caller user-agent — configurable, captured by default |
createdAt | ISO 8601 timestamp |
Example: secret access event
{
"id": "aud_abc123",
"action": "SECRET_ACCESS",
"resourceType": "secret",
"resourceId": "sec_xyz789",
"actorId": "usr_456",
"organizationId": "org_001",
"metadata": {
"secretName": "OPENAI_API_KEY",
"strategy": "LOCAL"
},
"ipAddress": "10.0.1.42",
"userAgent": "Mozilla/5.0...",
"createdAt": "2026-03-16T10:30:00Z"
}The metadata block carries the secret name and strategy but never the value. Same rule for every action type.
Who can read the audit log
| Role | Can view |
|---|---|
| Org owner | Full audit log for the organisation |
| Org admin | Full audit log for the organisation |
| Workspace owner / admin | Workspace-scoped events only |
| Workspace member | Their own events only |
The audit-log UI is at Settings → Platform → Audit logs. Filter by resourceType, action, actorId, or date range; export to CSV / JSON.
Forwarding to your SIEM
The audit log can be forwarded to your SIEM (Splunk, Sumo Logic, Datadog, Elastic, Microsoft Sentinel) via the SIEM forwarder integration. Once configured, every audit event is also published to your SIEM's ingestion endpoint within seconds. See Deployment → Operations → SIEM forwarding.
Retention
| Setting | Default |
|---|---|
| Retention period | 365 days |
| Immutable storage | Yes — events are append-only |
| Tamper detection | Per-event hash chain |
Some compliance frameworks require longer retention (SOC 2 generally accepts 365 days; some financial-services regulators require 7 years). Retention is configurable per organisation under Settings → Platform → Audit logs → Retention.
Increasing retention is allowed at any time. Decreasing retention requires org-owner approval and only takes effect for new events — existing events are not retroactively deleted.
What's never in the log
The audit log captures that an action happened and who did it, not the data the action operated on. Specifically:
- Secret values are never logged. Secret names, IDs, and strategies are.
- Knowledge-base document content is never logged. Document IDs, classifications, and access events are.
- Workflow input and output payloads are never logged. Workflow IDs, durations, and outcomes are.
- LLM prompt content is never logged. Token counts, model IDs, cost, and the integration source are.
This separation lets the audit log be exposed to compliance auditors without also exposing the underlying data.
Related
- Permission model — who can view audit events.
- Secrets management — what every
SECRET_*event means. - Compliance — framework-specific retention and event requirements.