Audit Logs
Track every action across your organisation with a tamper-proof audit trail and log forwarding.
Audit Trail
OnePAM records an immutable audit log for every significant action: authentication events, session activity, resource changes, policy modifications, secret access, team and user management, API key usage, and more. Logs are available from the Audit Logs page and can be forwarded to external SIEM systems.
Browsing Audit Logs
Navigate to Audit Logs in the sidebar. Each log entry shows:
- Timestamp — when the event occurred.
- User — who performed the action.
- Action — what was done (e.g.
auth.login,resource.create,secret.reveal). - Resource Type — the type of entity affected.
- Resource — the specific entity.
- Details — additional context (expandable).
- Client IP — source IP of the request.
Action Categories
- Authentication & SSO
- Sessions & recordings
- Resources
- Secrets & vault
- Users & teams
- Groups & permissions
- Alerts & rules
- API keys
- Domains & SAML
- VPN & mesh
- Billing & plan
- Settings changes
Use the search bar and action-type filter to narrow results. You can also export audit logs as CSV for offline analysis and compliance reporting.
Log Forwarding
Forward audit logs to your SIEM or log management platform in real time. Navigate to Settings → Log Forwarding to configure destinations.
Supported Destinations
| Destination | Protocol | Description |
|---|---|---|
| Webhook | HTTPS POST | Forward events as JSON to any HTTP endpoint |
| Splunk HEC | HTTPS | Send events to Splunk HTTP Event Collector |
| Datadog | HTTPS | Stream logs to Datadog Logs |
| Elasticsearch | HTTPS | Index events into Elasticsearch |
| Syslog | TCP/UDP/TLS | Forward to a syslog receiver (RFC 5424) |
Each destination can be tested before saving to verify connectivity. The destination list shows enabled state, format, and delivery statistics.
Recording Storage Business+
By default, session recordings are stored in OnePAM's cloud infrastructure. For data residency or compliance requirements, configure Customer-managed recording storage under Settings → Recording Storage.
- Provide your S3-compatible bucket details (bucket name, region, endpoint, access/secret keys).
- Optionally set a key prefix and enable path-style addressing.
- Use the Test Connection button to verify access before saving.