Tamper-evident record of every administrative action — essential for compliance, security investigations, and change tracking.
The Audit Log captures every administrative action performed in your AgenticMail Enterprise instance. It's a tamper-evident, append-only record that's critical for security investigations, compliance audits (SOC 2, GDPR, HIPAA), and understanding who changed what and when.
Every entry records the action, the user who performed it, their role, the resource affected, the IP address, and a timestamp. You can click any entry to see full details including metadata.
| Category | Example Actions |
|---|---|
| User Management | User login, user created, user deleted, role changed, password reset, 2FA enabled |
| Agent Changes | Agent created, configuration updated, agent deployed, agent paused/killed/resumed |
| Policy Updates | Policy created/edited/deleted, guardrail rule added, DLP rule changed |
| Organization | Org created, org toggled active/inactive, agent assigned/unassigned |
| Settings | Branding changed, SSO configured, API key created/revoked, security settings updated |
| Skills & Integrations | Skill installed/uninstalled, OAuth connected/disconnected, credentials saved |
| System Events | Automated interventions, scheduled tasks, health checks |
The audit log displays as a table with these columns:
| Column | Description |
|---|---|
| Time | When the action occurred (local time) |
| Action | What happened — color-coded badge (see below) |
| User | Who did it — email address or "System" for automated actions |
| Role | The actor's role (owner, admin, user, system) |
| Resource | What was affected — shown as an API path (e.g., agents/abc123) |
| IP | Source IP address |
Results are paginated (50 entries per page). Use the Previous/Next buttons to navigate.
Use the filter box in the top-right corner to search across all columns simultaneously. The filter matches against:
Click any row to open the detail modal, which shows the full audit entry including:
Action badges are color-coded for quick visual scanning:
| Color | Action Types | Examples |
|---|---|---|
| Green | Create / Add | user.create, agent.add, policy.create |
| Red | Delete / Remove / Revoke | user.delete, key.revoke, agent.kill |
| Yellow | Update / Edit / Patch | settings.update, agent.edit, policy.patch |
| Blue | Login / Auth | user.login, sso.auth, 2fa.verify |
| Gray | Other | system.check, export.data |
Role badges are also color-coded:
The audit log provides evidence of access controls, change management, and monitoring. Filter by "login" to demonstrate authentication tracking, or by "delete" to show change management oversight.
Track data access and modifications. Filter by user email to generate a complete activity report for data subject access requests.
When investigating an incident, filter by IP address to trace all actions from a specific source, or by timeframe to reconstruct the sequence of events.
Before and after deploying changes, review the audit log to verify only expected modifications were made. The detail view shows configuration diffs.
| Issue | Solution |
|---|---|
| No entries showing | The audit log only captures events after initial setup. Perform an action (like updating settings) and refresh. |
| Filter returns no results | The filter searches across all columns. Try a broader term. Check for typos. |
| Missing expected action | Some read-only actions (viewing pages) aren't logged to reduce noise. Only state-changing actions are captured. |
| IP shows as "—" | System-initiated actions and some internal events don't have an associated IP. |
| Timestamps seem wrong | Timestamps are displayed in your browser's local timezone. The underlying data is stored in UTC. |
AgenticMail Enterprise — Audit Log Documentation