Read your audit log

Last updated: May 19, 2026

Read your audit log

The audit log tracks every meaningful action in your workspace: logins, role changes, member invites, impersonation, API key creation, settings changes, campaign actions. View at Settings → Team → Audit Log. Filter by date, action, user, or resource. Export to CSV. Retention depends on your plan.

Who is this for

Admins running monthly security reviews, owners investigating an incident, compliance officers preparing for an audit, anyone diagnosing "who changed what when".

What gets logged

The audit log captures actions on:

Category

Examples

Authentication

login (success/failure), 2FA verified, password change, session revoked

Team management

invite, accept invite, role change, member remove, deactivate, ownership transfer

Impersonation

impersonate start / stop, with both impersonator and target IDs

API keys

create, revoke, rate-limit hit

Integrations

ad platform connect / disconnect, OAuth token refresh failure

Campaigns

launch, edit, pause, resume, archive, delete

Creatives

upload, AI generation, delete

Rules

create, edit, activate, deactivate, fire (significant events)

Billing

plan change, payment method update, cancellation, refund

Settings

Workspace Defaults change, branding update

Data access

report export, audit log export

Read-only actions (viewing a page, opening a campaign) are not logged — would create too much noise. Only mutations + sensitive reads are recorded.

Log entry schema

Each entry in the audit_log table has:

{
  "id": "uuid",
  "user_id": "uuid",         // who triggered the action
  "owner_id": "uuid",        // workspace owner (for org-level filter)
  "action": "string",        // e.g. "role_change", "campaign_launch"
  "resource_type": "string", // e.g. "team_membership", "campaign"
  "resource_id": "string",   // ID of the affected resource
  "metadata": {},            // JSON detail (old/new values, params)
  "ip_address": "string",
  "user_agent": "string",
  "product": "wevion",       // brand for cross-product debugging
  "created_at": "timestamp"
}

Indexes: (owner_id, created_at desc), (user_id, created_at desc), (action) for fast filtering.

How to view the log

Step 1: Open the audit log page

Navigate to Settings → Team → Audit Log (URL: /settings/team/audit-log).

Step 2: Browse recent entries

The page loads the most recent 50 entries by default. Each row shows:

  • Timestamp (in workspace TZ, toggle to UTC)

  • User (avatar + name + email)

  • Action (e.g. role_change, campaign_launch)

  • Resource (type + ID + name when available)

  • IP / location (from IP)

  • Expand arrow to see full metadata JSON

Step 3: Apply filters

Top of the page:

  • Date range (last 7 days / 30 days / 90 days / custom)

  • Action (multi-select from known action types)

  • User (multi-select from workspace members)

  • Resource type (multi-select)

  • Free-text search in metadata

Combine for "Who changed roles in the last 30 days?":

  • Action = role_change

  • Date range = last 30 days

For "What did Sara do yesterday?":

  • User = Sara

  • Date range = yesterday

Step 4: Pagination

50 per page. Use prev/next or jump to date. For longer scrolls, use CSV export.

Export to CSV

Click Export CSV at top-right. Choose:

  • Current filter result (whatever filter is applied)

  • Full date range (override filter)

  • Specific date range (custom picker)

Wevion calls GET /api/v1/audit-log/export and streams a CSV download. Columns:

id, timestamp, user_id, user_email, action, resource_type, resource_id,
metadata, ip_address, user_agent

Useful for spreadsheet analysis, regulatory submission, or feeding into your SIEM.

Export is rate-limited (large workspaces with millions of entries should chunk by date).

Retention

Audit log retention depends on your plan. Check /settings/team/billing for your current retention window. Pro and Enterprise plans typically have longer windows than Starter. Enterprise can negotiate custom retention.

After retention window:

  • Entries are deleted from the active database

  • Backups may retain copies per standard backup policy

If you need long-term retention for compliance, export regularly to your own storage.

Common investigation patterns

"Who paused my campaign last night?"

  1. Filter: Action = campaign_pause, Date range = yesterday

  2. Find the entry; user column = who, metadata = which campaign + IP

"Was there any login from an unusual IP?"

  1. Filter: Action = login (success and failure)

  2. Sort by IP, look for unfamiliar addresses

  3. Cross-reference user's expected location

"Has anyone impersonated user X recently?"

  1. Filter: User = X, Action = any

  2. Look for entries where metadata.impersonated_by is present

  3. Lists every impersonation session affecting that user

"Trace a role change escalation chain"

  1. Filter: Action = role_change, User = the affected user

  2. Returns chronological list of all role changes on that user

  3. metadata.old_role + new_role show the progression

"Find all API key activity for a key"

  1. Filter: Action = api_call, search metadata for the key prefix

  2. Returns all calls made by that key

What's NOT logged

For pragmatism + scale:

  • Read operations on UI (page views, dashboard loads)

  • Wavo chat messages (separate logging for AI conversations)

  • Real-time data sync events from ad platforms (only failures are logged)

  • Frontend-only state changes (UI prefs, filter selections)

If you need richer logging for an Enterprise compliance need, talk to your CSM about custom audit configuration.

Special: impersonation entries

When an action happens during impersonation, the entry has:

  • user_id: the target user (whose session was used)

  • metadata.impersonated_by: the impersonator's user ID

  • metadata.impersonation_session_id: ties multiple actions in same session together

Use the impersonator filter to see "everything done by [admin] while impersonating others".

What you'll see

A typical audit log session for a healthy workspace:

  • Lots of routine entries: campaign edits, rule firings, member logins

  • Occasional configuration changes: role updates, integration connects

  • Rare sensitive events: ownership transfers, impersonation sessions, API key creates

If you see entries that surprise you (unexpected role changes, unfamiliar IPs, unrequested impersonation), investigate immediately.

Common issues

  • Page slow to load: large workspace with millions of entries. Narrow the date range first.

  • Missing entries I expected to see: check the action type filter; some sub-actions are logged under different action names.

  • Export CSV times out: split into smaller date ranges and concatenate.

  • Entry shows action with no description: legacy entry from a previous Wevion version. Look at metadata for context.

  • Timestamps look wrong: switch between workspace TZ and UTC; verify your workspace TZ is correct (team-106).

  • Cannot see entries from a workspace I left: by design — removed members lose visibility of that workspace's audit log.

Compliance use cases

  • GDPR: subject access requests can be answered with filtered exports per user

  • SOC 2: audit log feeds SOC 2 evidence requirements (logged access, logged changes)

  • HIPAA / similar: depending on data flowing through Wevion, may apply — talk to your CSM

  • Internal audits: monthly export + review covers most internal audit needs

Related