Audit log
The audit log captures every administrative action against your tenant: who did what, when, from which IP, against which resource. Retention is two-tier: a queryable hot tier with full event payload (actor, action, fields_json) for 90 / 180 / 365 / 730 days — defaulting to 90 (standard plan) or 365 (enterprise plans), and configurable per tenant at Authentication policy → Audit log retention; and a 3-year cryptographic chain archive in T Cloud OBS WORM that retains hash-chain anchor objects after the hot-tier payload has been redacted. Compliance exports cover the queryable window.
For the cryptographic chain of custody (anchor-chain, OBS-backed merkle commitments), see Audit chain integrity.
What’s recorded
| Event class | Examples |
|---|---|
| Identity | Sign-in, SSO step-up, MFA reset, SCIM provisioning, role change |
| Repository | Repo created, transferred, archived, deleted; branch protection changed |
| Secrets | Secret created, rotated, deleted (name only, never the value) |
| Webhooks | Destination added, rotated, removed; delivery replayed |
| Policy | Push-protection rule added or override applied; malware-scan override; SAST dismissal |
| Billing | Plan change, payment method update, cap change |
| Data export | Export queued, downloaded, expired |
Notably absent: ordinary code reads (clone, view, file open). The audit log is an administrative-action log, not an access log. If you need a read-event trail (e.g. for sensitive-IP review), open a support ticket, we’ll talk through the SIEM-forwarding shape that gets you there.
Reading the log
Tenant admin, Reports, Audit log. Filter by actor (<username>), action (secret.created, role.changed, …), time range, or affected resource. The default view is the last 7 days.
Click any row to expand the JSON payload. Sensitive fields (secret values, OIDC tokens, PII attachments) are redacted at the write boundary, so an expanded row never shows a value you wouldn’t want a customer’s auditor to read.
CSV export
Click Export CSV on any filtered view to get a snapshot. The CSV contains the rows currently filtered, capped at 50,000 rows per export. For larger windows, queue a full Data export from Reports, Data export.
SIEM forwarding
Every audit event is also emitted to a per-tenant HTTPS sink if you configure SIEM forwarding. The sink receives events in real time (within seconds of the action) in a compact JSON shape; the format is stable and versioned.
Retention
Audit records are kept in two tiers:
- Queryable payload tier — the actor name and
fields_jsonpayload of every event are queryable in the admin UI / CSV export / SIEM stream for the retention window below. - Tamper-evident chain tier — each event’s cryptographic hash + chain link stays for 3 years (WORM-anchored to OBS object lock). This is what makes the chain provably untampered for audit-readiness; it lives intact even after the payload tier redaction stamps a row.
Queryable payload retention
| Plan | Default | Customer-tunable presets |
|---|---|---|
| fremforge / starter | 90 days | 90 / 180 / 365 / 730 |
| enterprise / enterprise_trial | 365 days | 90 / 180 / 365 / 730 |
The cap of 730 days (≈2 years) keeps the live audit_events table bounded. Anything beyond that is the WORM tier’s job; if you need queryable history past 730 days, queue a Data export quarterly and archive it in your SIEM.
The cutoff applies at the actor + fields_json columns: rows older than the window keep their hash, timestamp, and action name (so SOC 2 / DORA reporting still works) but the actor is pseudonymised to redacted and the payload is replaced with {}. The cryptographic chain is not broken by this; redaction is an in-place pseudonymisation, not a delete.
Changing the queryable window
Tenant admin → Security → Authentication policy → Audit log retention card. Pick one of 90 / 180 / 365 / 730 days. Behaviour notes:
- Extending the window (e.g. 90 → 365): newly-emitted rows stay queryable for longer. Rows that were already redacted under the previous window stay redacted — fremforge does not un-redact.
- Shortening the window (e.g. 365 → 90): the next daily redaction sweep (~02:30 UTC) redacts every row older than the new window. The redaction is irreversible at the operational tier; the WORM chain is unaffected.
Audit-log action recorded against this setting: tenant.auth_policy.audit_retention.updated (with previous and next day counts).
Compliance commitments
DPA Annex A.7 commits to the 90-day baseline + 3-year WORM. Enterprise SLA commits to 365-day queryable + 3-year WORM. Going below the plan default is allowed in the UI but would breach the DPA — fremforge does not enforce the floor at the column, the contract does. The on-call paging keyword audit_payload_reaper_failed fires if the daily redaction sweep itself fails (separate from a customer changing retention).