Audit Logging
Slim.io records a comprehensive audit trail of all significant operations on the platform. Every action that modifies data, configuration, or access controls is logged with the actor’s identity, timestamp, and operation details. Audit logs support compliance requirements, incident investigation, and operational monitoring.
What Gets Logged
Scan Operations
| Event | Details Captured |
|---|---|
| Scan started | Initiator, connector, scan type (full/incremental/event-driven), scope |
| Scan completed | Duration, files processed, findings count, error count |
| Scan cancelled | Cancelling user, reason, files processed at cancellation |
| Scan failed | Error details, last processed file, partial results |
Policy Operations
| Event | Details Captured |
|---|---|
| Policy created | Author, policy name, mode (dry-run/enforced), YAML content hash |
| Policy updated | Author, changed fields, previous vs. new values |
| Policy deleted | Deleting user, policy name |
| Policy evaluated | Policy name, findings matched, actions executed, outcomes |
| Policy mode changed | Author, previous mode, new mode |
Connector Operations
| Event | Details Captured |
|---|---|
| Connector created | Creator, provider, target bucket/container, permissions granted |
| Connector updated | Changed fields (credentials rotated, scope changed) |
| Connector deleted | Deleting user, connector name |
| Connection test | Success/failure, latency, error details |
Data Access
| Event | Details Captured |
|---|---|
| Finding viewed | Viewer, finding ID, category |
| Token decrypted | Decryptor, token IDs, finding context |
| Bulk export | Exporter, scope, record count, export format |
| Data Catalog search | Searcher, query terms, result count |
Access Control
| Event | Details Captured |
|---|---|
| User login | User email, auth method (password, SSO), IP address |
| User logout | User email, session duration |
| Role assignment | Admin, target user, role granted |
| Role revocation | Admin, target user, role removed |
| SSO configuration | Admin, provider, settings changed |
| API key created | Creator, key scope, permissions |
| API key revoked | Revoker, key ID, reason |
Workspace Operations
| Event | Details Captured |
|---|---|
| Workspace created | Creator, workspace name, initial configuration |
| Member added/removed | Admin, member email, role |
| Workspace settings changed | Admin, changed fields |
Audit Log Format
Each log entry contains a standard set of fields:
| Field | Description |
|---|---|
timestamp | ISO 8601 timestamp with millisecond precision |
event_type | Dotted event identifier (e.g., scan.started, policy.created) |
actor | Email and role of the user or service account that performed the action |
tenant_id | Tenant context for multi-tenant isolation |
workspace_id | Workspace scope (if applicable) |
resource_type | Type of resource affected (scan, policy, connector, finding) |
resource_id | Unique identifier of the affected resource |
details | Action-specific metadata (varies by event type) |
ip_address | Source IP of the request |
user_agent | Client identifier |
Viewing Audit Logs
Dashboard
Navigate to Settings > Audit Log in the Customer Dashboard to view, search, and filter the audit trail.
Available filters:
- Date range
- Event type
- Actor (user email)
- Resource type
- Keyword search across event details
API
GET /api/v1/governance/audit-log?start=2026-03-01T00:00:00Z&end=2026-03-27T23:59:59Z&event_type=policy.*&limit=100
Authorization: Bearer $TOKENResponse:
{
"status": "success",
"data": {
"entries": [
{
"timestamp": "2026-03-15T10:30:00.123Z",
"event_type": "policy.created",
"actor": { "email": "admin@company.com", "role": "admin" },
"resource_type": "policy",
"resource_id": "tokenize-financial-pii",
"details": {
"mode": "dry-run",
"conditions_count": 2,
"actions_count": 2
}
}
],
"total": 47,
"next_cursor": "cursor-abc-123"
}
}Retention
| Tier | Default Retention | Maximum Retention |
|---|---|---|
| Starter | 30 days | 30 days |
| Professional | 90 days | 1 year |
| Enterprise | 90 days | Unlimited (configurable) |
Audit logs can be exported to your SIEM or log management platform via the webhook integration. Configure a webhook with the audit.* event filter to stream logs in real time.
SIEM Integration
Export audit logs to external security information and event management (SIEM) systems:
- Navigate to Settings > Integrations > SIEM Export.
- Configure the destination (Splunk, Datadog, Elastic, or generic webhook).
- Select the event types to export.
- Set the export format (JSON or CEF).
Supported destinations:
| SIEM | Integration Method |
|---|---|
| Splunk | HTTP Event Collector (HEC) |
| Datadog | Datadog Logs API |
| Elastic | Elasticsearch bulk API |
| Generic | Custom webhook endpoint |
Compliance Use Cases
Audit logs support the following compliance frameworks:
- SOC 2 (CC7.2) — Monitoring of system operations and anomaly detection
- HIPAA (164.312(b)) — Activity logs and audit controls for PHI access
- PCI-DSS (Req. 10) — Tracking and monitoring all access to network resources and cardholder data
- GDPR (Art. 30) — Records of processing activities with purpose and legal basis
For detailed compliance mapping, see Compliance.
Last updated on