How to use the Wazzi audit log

Path: Audit → Logs · URL: /audit-logs

What this page does

The Audit Log is the immutable, chronological record of everything that has changed in your org — who invited whom, who flipped what permission, who added a new connector instance, who enabled a Center, who deleted a portal. Use it for compliance, troubleshooting, security incident response, and "wait, who did what?" detective work.

Audit log overview page

What's logged

Wazzi logs every state-changing action across the dashboard, including:

User invites, role changes, deactivations.
Access group create / rename / delete; member adds and removes.
Permission toggle changes (per group, per surface).
Connector add / remove; instance add / update / delete.
Connector test results (success and failure).
Center enable / disable.
Data source assignment changes; manual syncs; scheduled sync results.
Knowledge Base article create / update / delete; portal changes.
Organization settings changes.
Sign-ins (success and failure).

If it changes Wazzi's state, it's in here.

What's NOT logged

By design, the audit log records actions on Wazzi itself — not the contents of MCP tool calls or arbitrary AI conversations. If you need that level of telemetry (for example, "every Asana task created via MCP last week"), use the audit / usage features of the external system.

Steps — using the log

1. Click Audit → Logs in the sidebar.

You'll see a chronological table of events with the actor, action, target, and timestamp. Recent activity is paginated — scroll down or use page navigation to step backwards in time.

Audit log showing recent events with actor, action, target, timestamp

The columns:

Timestamp — when the action happened (your local timezone).
Actor — the user (or system) that performed the action.
Action — permission.update, user.invite, connector.test, etc.
Target — what was changed (group name, user email, connector ID).
Details — expandable cell with before/after values and request metadata.

2. Search to find what you need.

The search box at the top of the page matches against any field — actor email, action name, target ID, even values inside the details payload. Combine with the date range filter to narrow further.

Common audit queries

Question	How to filter
"Who turned on MCP create for this connector?"	Search: connector name. Filter Action: `permission.update`.
"Who added this user to that group last week?"	Search: group or user. Filter Action: `group.member.add`.
"What did this contractor do during their engagement?"	Search: contractor's email. Date range: engagement window.
"Has this connector failed lately?"	Search: connector name. Filter Action: `connector.test.failure`.
"Who deactivated this user?"	Search: user email. Filter Action: `user.deactivate`.
"What changed in the last 24 hours that might explain X breaking?"	Date range: last 24h, scan for relevant actions.

Retention

Audit logs are retained for 365 days by default. Enterprise plans can extend this. After retention expires, individual log entries are deleted — but aggregate counts (e.g., "X invites this quarter") are retained indefinitely for compliance reporting.

Troubleshooting

An action I expected to see is missing. Check the date filter (the default may be "last 7 days" — extend it). If still missing, the action may not be a logged event type — see What's NOT logged above.
The Actor shows "system" instead of a user. That's a Wazzi-initiated action — typically a scheduled sync, a token rotation, or a billing event.
Log entries with my own email I don't recognize. Check the IP and user-agent in the Details. If it's not from your usual device, change your password / re-auth and contact your security lead.
Search returns nothing. Search matches whole tokens — try shorter substrings, or expand the date range.

Best practices

Make audit review a routine. Fifteen minutes monthly to scan for anomalies catches most issues early.
Watch for permission changes outside business hours. Real changes follow real workdays. Off-hours permission.update events deserve a second look.
Use the log to write postmortems. When something breaks, the log usually tells you exactly when and why — sometimes before the affected user even noticed.

Frequently asked questions

Can I export audit logs?
Yes — the table has an Export button (top-right, next to filters). CSV or JSON.

Can I stream audit events to an external SIEM?
Yes, via Wazzi's webhooks (configurable in Settings → Webhooks). Talk to your Wazzi administrator.

Are AI tool calls logged here?
No — only Wazzi state changes. Tool call telemetry lives in the connector's own audit log on the external side.

What's next

If something looks wrong, head to the relevant page (e.g., Managing Permissions or Configuring Data Sources) to fix it. The audit log will record the corrective action too.