Audit Logs and Event Forwarding
The Audit Log is a comprehensive chronological record of every significant action taken within your Organization on the Ngwenya platform. It captures membership changes, role assignments, security configuration updates, and more â giving Organization Owners and Administrators a complete oversight trail for compliance, security reviews, and internal governance.
Who Can View the Audit Log?
Only Organization members with roles that include the View Audit Logs permission can access the Audit Log. By default, this includes Owners and Admins. If your Organization uses Custom RBAC, any custom role that includes the VIEW_AUDIT_LOGS permission will also have access.
Accessing the Audit Log
- Navigate to your Organization management dashboard at
/orgs/your-org-slug/manage. - Click the Audit Log tab in the navigation bar.
- The log loads the most recent 200 events automatically.
Filtering Events
The Audit Log provides client-side filtering to narrow down the displayed events:
- Actor Filter: Use the "Actor" dropdown to display only events performed by a specific member. The dropdown is populated dynamically from the unique actors found in the loaded events.
- Date Range: Use the start and end date pickers to focus on a specific time window.
TIP
Filters are applied instantly and stack â you can combine an Actor filter with a Date Range to find exactly the actions you need.
Exporting Records
You can download the currently filtered event set at any time:
- Download CSV: Exports a comma-separated file suitable for spreadsheets. Columns include Event ID, Date, Type, Actor, Target User, IP Address, and Metadata.
- Download JSON: Exports a structured JSON array containing the full event objects with all nested metadata intact.
NOTE
Exports always reflect the current filter state. If you have an Actor filter active, only those events will be included in the download.
Event Types
The Audit Log captures a wide range of administrative actions:
| Event | Description |
|---|---|
| Member Invited | A new member invitation was sent |
| Member Joined | A member accepted an invitation |
| Member Removed | A member was removed from the Organization |
| Role Changed | A member's base role was changed |
| Team Created / Updated / Deleted | A Team was created, renamed, or deleted |
| Team Member Added / Removed | A member was added to or removed from a Team |
| Collaborator Added / Removed | An Outside Collaborator was added or removed |
| Custom Role Lifecycle | A custom role was created, updated, deleted, assigned, or removed |
| SAML Configuration | SSO configuration was created, updated, or deleted |
| SCIM Token Lifecycle | A SCIM provisioning token was created or revoked |
| SIEM Webhook Lifecycle | A SIEM webhook endpoint was created, updated, or deleted |
Event Forwarding (SIEM Webhooks)
Below the Audit Log panel, Organization Administrators can configure SIEM webhook endpoints to automatically forward audit events to external security platforms like Splunk, Datadog, or any HTTP endpoint.
Creating a Webhook
- Scroll to the Event Forwarding (SIEM) section.
- Enter a recognizable Identifier (e.g., "Datadog Production").
- Enter the destination Endpoint URL (must be HTTPS).
- Click Register Endpoint.
IMPORTANT
Upon creation, a one-time Signing Secret is displayed. This HMAC-SHA256 key is used to verify the authenticity of payloads arriving at your endpoint. Copy it immediately â it cannot be retrieved later.
Testing Connectivity
Click the Test button next to any active webhook to send a synthetic test event. The result will show whether the endpoint responded successfully (including the HTTP status code) or if there was an error.
Rotating a Secret
If a signing secret is compromised, click Rotate Secret to immediately invalidate the old secret and generate a new one. Update your SIEM integration's verification logic with the new secret.
CAUTION
Rotating a secret immediately invalidates the previous one. Any endpoint still verifying with the old secret will begin rejecting legitimate payloads until updated.
Deleting a Webhook
Click Delete to permanently remove a webhook endpoint. Event forwarding to that destination stops immediately.