--- title: Audit and activity logs path: administration/audit-and-activity status: published --- Every meaningful action in ScaiDrive — sign-ins, file accesses, share changes, admin actions — produces an audit event. The Compliance section of the admin console has two views into this stream: the **Activity Log** (operator-friendly, recent events) and the **Audit Log** (compliance-grade, filterable, retainable, exportable). ## Activity Log Compliance → Activity Log. A reverse-chronological feed of events with light filtering (last hour, last day, last week, last month). Aimed at "what just happened?" investigation: - Who signed in, when, from what IP. - Which files were opened or downloaded. - Who added or removed a share member. - Which external links were created and accessed. Click any event to see its full payload, the originating session, and the user-agent. This view is **not** intended to be a long-term store; the Audit Log is. By default, the Activity Log shows you the most recent 30 days of audit events through the same underlying table. ## Audit Log Compliance → Audit Log. The same events, but with: - **Powerful filters** — by event category (authentication, file access, share, admin, etc.), by user, by share, by IP, by date range, by free-text search across event payloads. - **Saved queries** — name a filter set and re-run it later (good for recurring compliance reports). - **CSV / JSON export** — bounded by your selection. ### Event categories | Category | Examples | |---|---| | `AUTHENTICATION` | Sign-in success / failure, sign-out, MFA challenge | | `AUTHORIZATION` | Permission denied, role grants, ACL changes | | `FILE_ACCESS` | Download, preview, open | | `FILE_MODIFICATION` | Upload, edit, delete, restore, rename, move | | `SHARING` | External link created/revoked, member added/removed, role change | | `ADMIN` | Settings change, quota change, user provisioning | | `SECURITY` | Suspicious sign-in pattern, MFA disabled, IP block triggered | | `COMPLIANCE` | Legal hold placed/lifted, retention policy run, DLP match, export | Every event has a severity (`info`, `warning`, `critical`) and is timestamped to UTC. ### Service-account events When an action is performed by a service account exchanged via RFC 8693 token exchange, the audit event records both: - `user_id` — the human user the service is acting on behalf of. - `service_account` — the client ID of the service that initiated the action. This is GDPR-Article-30 compliant: you can answer "who did this?" with both the human and the system that proxied them. ## Retention By default, audit events are kept forever. Configure trimming at System → Settings → Retention → **Audit log retention** (e.g., 7 years for SOX, 2 years for GDPR-minimum). Events under a **legal hold** are exempt from retention pruning (see [Compliance policies](/docs/scaidrive/administration/compliance-policies)). ## Sessions Identity → Sessions. Live view of every active sign-in across all users: - User, IdP, device kind, IP, last activity, expires-at. - **Revoke** kills the session — the user must re-authenticate. - **Revoke all for user** — kills every session for one user (common during incident response). A revoked session leaves the user's local sync state intact; the next API call from any client triggers a re-authentication flow. ## Failed-login monitoring Authentication failures are visible in the Audit Log filtered by `AUTHENTICATION + failure`. ScaiDrive applies a 5-attempts-in-15-minutes lockout per (account, IP) pair — beyond that, the account is temporarily blocked from that IP and a `SECURITY` event is logged. Configure thresholds at System → Settings → Security. ## Exporting The CSV/JSON export from the Audit Log produces what you need for ad-hoc reporting. For streaming events into a SIEM, use the [SIEM integration](/docs/scaidrive/administration/siem-integration) — same events, pushed in near-real-time. ## What's next - [Compliance policies](/docs/scaidrive/administration/compliance-policies) — legal holds, retention, DLP, eDiscovery. - [SIEM integration](/docs/scaidrive/administration/siem-integration) — streaming audit events out.