Audit and activity logs
Every meaningful action in ScaiDrive — sign-ins, file accesses, share changes, admin actions — produces an audit event. The Compliance section of the admin console has two views into this stream: the Activity Log (operator-friendly, recent events) and the Audit Log (compliance-grade, filterable, retainable, exportable).
Activity Log#
Compliance → Activity Log. A reverse-chronological feed of events with light filtering (last hour, last day, last week, last month). Aimed at "what just happened?" investigation:
- Who signed in, when, from what IP.
- Which files were opened or downloaded.
- Who added or removed a share member.
- Which external links were created and accessed.
Click any event to see its full payload, the originating session, and the user-agent.
This view is not intended to be a long-term store; the Audit Log is. By default, the Activity Log shows you the most recent 30 days of audit events through the same underlying table.
Audit Log#
Compliance → Audit Log. The same events, but with:
- Powerful filters — by event category (authentication, file access, share, admin, etc.), by user, by share, by IP, by date range, by free-text search across event payloads.
- Saved queries — name a filter set and re-run it later (good for recurring compliance reports).
- CSV / JSON export — bounded by your selection.
Event categories#
| Category | Examples |
|---|---|
AUTHENTICATION |
Sign-in success / failure, sign-out, MFA challenge |
AUTHORIZATION |
Permission denied, role grants, ACL changes |
FILE_ACCESS |
Download, preview, open |
FILE_MODIFICATION |
Upload, edit, delete, restore, rename, move |
SHARING |
External link created/revoked, member added/removed, role change |
ADMIN |
Settings change, quota change, user provisioning |
SECURITY |
Suspicious sign-in pattern, MFA disabled, IP block triggered |
COMPLIANCE |
Legal hold placed/lifted, retention policy run, DLP match, export |
Every event has a severity (info, warning, critical) and is timestamped to UTC.
Service-account events#
When an action is performed by a service account exchanged via RFC 8693 token exchange, the audit event records both:
user_id— the human user the service is acting on behalf of.service_account— the client ID of the service that initiated the action.
This is GDPR-Article-30 compliant: you can answer "who did this?" with both the human and the system that proxied them.
Retention#
By default, audit events are kept forever. Configure trimming at System → Settings → Retention → Audit log retention (e.g., 7 years for SOX, 2 years for GDPR-minimum).
Events under a legal hold are exempt from retention pruning (see Compliance policies).
Sessions#
Identity → Sessions. Live view of every active sign-in across all users:
- User, IdP, device kind, IP, last activity, expires-at.
- Revoke kills the session — the user must re-authenticate.
- Revoke all for user — kills every session for one user (common during incident response).
A revoked session leaves the user's local sync state intact; the next API call from any client triggers a re-authentication flow.
Failed-login monitoring#
Authentication failures are visible in the Audit Log filtered by AUTHENTICATION + failure. ScaiDrive applies a 5-attempts-in-15-minutes lockout per (account, IP) pair — beyond that, the account is temporarily blocked from that IP and a SECURITY event is logged. Configure thresholds at System → Settings → Security.
Exporting#
The CSV/JSON export from the Audit Log produces what you need for ad-hoc reporting. For streaming events into a SIEM, use the SIEM integration — same events, pushed in near-real-time.
What's next#
- Compliance policies — legal holds, retention, DLP, eDiscovery.
- SIEM integration — streaming audit events out.