Audit Log
FORG maintains an immutable audit log of all administrative actions, authentication events, license operations, and policy changes. Logs are retained for 90 days on Enterprise plans and can be exported or streamed to your SIEM.
Viewing audit logs
Go to Dashboard → Settings → Audit Log. Logs can be filtered by event type, actor, date range, and target resource.
Event categories
| Category | Events |
|---|---|
| Authentication | login, logout, sso_login, mfa_challenged, session_expired, password_changed |
| License | license_activated, license_deactivated, license_revoked, seat_allocated, seat_released |
| Users | user_invited, user_removed, user_suspended, user_role_changed, scim_provisioned, scim_deprovisioned |
| Teams | team_created, team_deleted, member_added, member_removed |
| Rules | rule_created, rule_updated, rule_deleted, rule_triggered |
| API Keys | api_key_created, api_key_revoked, api_key_used |
| Billing | subscription_changed, payment_method_updated, invoice_paid |
| SSO/SCIM | sso_configured, sso_enforcement_enabled, scim_token_rotated |
| Data | export_requested, export_downloaded, data_deleted |
Audit log entry schema
{
"id": "evt_01J3K9M4N8P2Q7R5S6T0",
"ts": "2025-05-28T10:14:37Z",
"action": "rule_created",
"actor": {
"id": "usr_4a9f2b1e",
"email": "admin@example.com",
"type": "user" // user | api_key | scim | system
},
"target": {
"type": "rule",
"id": "rule_7c3d1a2b",
"name": "Monthly budget cap"
},
"org_id": "org_8e4f2c9d",
"ip": "203.0.113.42",
"user_agent": "Mozilla/5.0...",
"metadata": { "budget_usd": 500, "scope": "org" }
}Exporting logs
Manual export
From the Audit Log page, click Export to download a date-range filtered CSV or JSON export. Exports are limited to 10,000 entries per request.
API export
GET https://forg.pro/agent/v1/audit-log?
from=2025-05-01T00:00:00Z&
to=2025-05-31T23:59:59Z&
action=rule_created&
page=1&
per_page=100
Authorization: Bearer forg_live_...SIEM streaming
Audit logs can be streamed in real time to your SIEM via webhook. Go to Settings → Audit Log → Stream and configure a webhook endpoint. Events are delivered as JSON with the same schema above, wrapped in a webhook envelope.
Supported SIEM integrations with native connectors:
- Splunk (via HTTP Event Collector)
- Datadog (via Logs API)
- Elastic / OpenSearch (via webhook)
- Microsoft Sentinel (via webhook)
Retention and immutability
Audit log entries cannot be modified or deleted, even by org admins. The default retention period is 90 days. Extended retention (up to 7 years) is available for compliance requirements — contact support to enable.