Skip to main content
Audit logs provide a comprehensive record of all user actions and system events in Activepieces, essential for security monitoring, compliance, and troubleshooting.

Overview

Audit logging captures:

User Actions

Authentication, authorization, and user management events

Resource Changes

Modifications to flows, connections, and configurations

System Events

Flow executions, errors, and system operations

Audit Event Types

Activepieces tracks these event categories:

Authentication Events

{
  action: ApplicationEventName.USER_SIGNED_UP,
  userId: "user_123",
  userEmail: "[email protected]",
  ip: "203.0.113.42",
  data: {
    source: "sso" | "credentials" | "managed",
    user: {
      id: "user_123",
      email: "[email protected]",
      firstName: "Alice",
      lastName: "Smith"
    }
  }
}
Captures:
  • New user registrations
  • Authentication method (SSO, credentials, managed auth)
  • User details and IP address

Flow Events

{
  action: ApplicationEventName.FLOW_CREATED,
  projectId: "proj_abc123",
  userId: "user_123",
  data: {
    flow: {
      id: "flow_xyz789",
      created: "2026-03-03T10:00:00.000Z",
      updated: "2026-03-03T10:00:00.000Z"
    },
    project: {
      displayName: "Marketing Team"
    }
  }
}

{
  action: ApplicationEventName.FLOW_UPDATED,
  projectId: "proj_abc123",
  userId: "user_123",
  data: {
    flowVersion: {
      id: "version_123",
      displayName: "Slack Notification",
      flowId: "flow_xyz789",
      created: "2026-03-03T10:00:00.000Z",
      updated: "2026-03-03T10:15:00.000Z"
    },
    request: {
      type: "ADD_ACTION" | "UPDATE_ACTION" | "DELETE_ACTION" |
            "CHANGE_NAME" | "LOCK_AND_PUBLISH" | ...,
      request: { /* operation details */ }
    },
    project: { displayName: "Marketing Team" }
  }
}
Tracked Operations:
  • ADD_ACTION, UPDATE_ACTION, DELETE_ACTION
  • CHANGE_NAME, CHANGE_STATUS, CHANGE_FOLDER
  • LOCK_AND_PUBLISH, USE_AS_DRAFT, LOCK_FLOW
  • MOVE_ACTION, DUPLICATE_ACTION
  • UPDATE_TRIGGER, UPDATE_METADATA
  • And more…
{
  action: ApplicationEventName.FLOW_DELETED,
  projectId: "proj_abc123",
  userId: "user_123",
  data: {
    flow: { id: "flow_xyz789", ... },
    flowVersion: {
      id: "version_123",
      displayName: "Slack Notification",
      flowId: "flow_xyz789"
    },
    project: { displayName: "Marketing Team" }
  }
}

Flow Run Events

{
  action: ApplicationEventName.FLOW_RUN_STARTED,
  projectId: "proj_abc123",
  data: {
    flowRun: {
      id: "run_abc123",
      flowId: "flow_xyz789",
      flowVersionId: "version_123",
      flowDisplayName: "Slack Notification",
      startTime: "2026-03-03T10:30:00.000Z",
      environment: "PRODUCTION",
      triggeredBy: {
        type: "WEBHOOK" | "SCHEDULE" | "FLOW",
        // ... trigger details
      },
      status: "RUNNING"
    },
    project: { displayName: "Marketing Team" }
  }
}

Connection Events

{
  action: ApplicationEventName.CONNECTION_UPSERTED,
  projectId: "proj_abc123",
  userId: "user_123",
  data: {
    connection: {
      id: "conn_123",
      displayName: "Slack Workspace",
      externalId: "T01234567",
      pieceName: "@activepieces/piece-slack",
      status: "ACTIVE",
      type: "OAUTH2",
      created: "2026-03-03T10:00:00.000Z",
      updated: "2026-03-03T10:00:00.000Z"
    },
    project: { displayName: "Marketing Team" }
  }
}

Project Role Events

{
  action: ApplicationEventName.PROJECT_ROLE_CREATED |
          ApplicationEventName.PROJECT_ROLE_UPDATED |
          ApplicationEventName.PROJECT_ROLE_DELETED,
  platformId: "platform_123",
  userId: "user_123",
  data: {
    projectRole: {
      id: "role_123",
      name: "Integration Specialist",
      permissions: [
        "READ_FLOW",
        "WRITE_FLOW",
        "READ_APP_CONNECTION"
      ],
      platformId: "platform_123",
      created: "2026-03-03T10:00:00.000Z",
      updated: "2026-03-03T10:00:00.000Z"
    }
  }
}

Folder Events

{
  action: ApplicationEventName.FOLDER_CREATED |
          ApplicationEventName.FOLDER_UPDATED |
          ApplicationEventName.FOLDER_DELETED,
  projectId: "proj_abc123",
  userId: "user_123",
  data: {
    folder: {
      id: "folder_123",
      displayName: "Production Flows",
      created: "2026-03-03T10:00:00.000Z",
      updated: "2026-03-03T10:00:00.000Z"
    },
    project: { displayName: "Marketing Team" }
  }
}

Querying Audit Logs

List Events

curl -X GET 'https://api.activepieces.com/v1/audit-events?limit=50' \
  -H 'Authorization: Bearer {token}'

Filter Parameters

ParameterTypeDescription
limitnumberMax results per page (default: 50)
cursorstringPagination cursor
actionstring[]Filter by event types
projectIdstring[]Filter by projects
userIdstringFilter by user
createdAfterISO dateEvents after timestamp
createdBeforeISO dateEvents before timestamp

Response Format

{
  data: [
    {
      id: "audit_abc123",
      platformId: "platform_123",
      projectId: "proj_abc123",
      projectDisplayName: "Marketing Team",
      userId: "user_123",
      userEmail: "[email protected]",
      action: "flow.created",
      ip: "203.0.113.42",
      created: "2026-03-03T10:00:00.000Z",
      data: { /* event-specific data */ }
    }
  ],
  next: "cursor_xyz",
  previous: null
}

Audit Log Storage

Database Schema

CREATE TABLE audit_event (
  id VARCHAR PRIMARY KEY,
  platform_id VARCHAR NOT NULL,
  project_id VARCHAR,
  user_id VARCHAR,
  user_email VARCHAR,
  project_display_name VARCHAR,
  action VARCHAR NOT NULL,
  ip VARCHAR,
  data JSONB NOT NULL,
  created TIMESTAMP NOT NULL,
  updated TIMESTAMP NOT NULL
);

CREATE INDEX ON audit_event (platform_id, project_id, user_id, action);
CREATE INDEX ON audit_event (platform_id, user_id, action);
CREATE INDEX ON audit_event (platform_id, action);

Retention

Configure log retention: 
# Environment variable
AP_AUDIT_LOG_RETENTION_DAYS=90
Default retention is 90 days. Adjust based on compliance requirements (e.g., SOC 2 requires 1 year).

Archival

Archive old logs to cold storage: 
-- Archive logs older than 1 year
COPY (
  SELECT * FROM audit_event
  WHERE created < NOW() - INTERVAL '1 year'
) TO '/archive/audit_events_2025.csv' CSV HEADER;

-- Delete archived logs
DELETE FROM audit_event
WHERE created < NOW() - INTERVAL '1 year';

Compliance Use Cases

SOC 2 Type II Requirements

Access Monitoring:
-- Track privileged access
SELECT user_email, action, created
FROM audit_event
WHERE action IN (
  'project.role.created',
  'project.role.updated',
  'user.signed.in'
)
ORDER BY created DESC;
Change Management:
-- Track production flow changes
SELECT user_email, data->>'flowVersion'->>'displayName', created
FROM audit_event
WHERE action = 'flow.updated'
  AND project_id = 'prod_project'
ORDER BY created DESC;
Required Retention: 12 months minimum

Security Monitoring

Suspicious Activity Detection

-- Multiple failed logins
SELECT user_email, ip, COUNT(*) as failed_attempts
FROM audit_event
WHERE action = 'user.signed.in'
  AND data->>'success' = 'false'
  AND created > NOW() - INTERVAL '1 hour'
GROUP BY user_email, ip
HAVING COUNT(*) >= 5;

-- Track role changes
SELECT 
  user_email,
  data->'projectRole'->>'name' as new_role,
  created
FROM audit_event
WHERE action = 'project.role.updated'
  AND data->'projectRole'->'permissions' ? 'WRITE_PROJECT_MEMBER'
ORDER BY created DESC;

-- Detect bulk deletions
SELECT user_email, COUNT(*) as deletions
FROM audit_event
WHERE action IN ('flow.deleted', 'connection.deleted')
  AND created > NOW() - INTERVAL '10 minutes'
GROUP BY user_email
HAVING COUNT(*) > 10;

-- Access outside business hours
SELECT user_email, action, created
FROM audit_event
WHERE EXTRACT(HOUR FROM created) NOT BETWEEN 8 AND 18
   OR EXTRACT(DOW FROM created) IN (0, 6)  -- Weekend
ORDER BY created DESC;

Alerting

Set up alerts for critical events: 
// Example alert logic
if (event.action === 'project.role.updated') {
  const newPermissions = event.data.projectRole.permissions
  if (newPermissions.includes('WRITE_PROJECT_MEMBER')) {
    await sendAlert({
      severity: 'HIGH',
      message: `Admin role granted to user ${event.userEmail}`,
      event
    })
  }
}

Export & Integration

Export to CSV

COPY (
  SELECT 
    created,
    user_email,
    action,
    project_display_name,
    ip
  FROM audit_event
  WHERE created > NOW() - INTERVAL '30 days'
  ORDER BY created DESC
) TO '/exports/audit_log.csv' CSV HEADER;

Stream to SIEM

Integrate with security information and event management systems: 
import { HEC } from '@splunk/splunk-logging'

const logger = new HEC({
  token: 'your-hec-token',
  url: 'https://splunk.company.com:8088'
})

// Send audit events
await logger.send({
  message: auditEvent,
  severity: 'info',
  source: 'activepieces',
  sourcetype: 'audit:log'
})

Event Summary

Generate human-readable summaries: 
import { summarizeApplicationEvent } from '@activepieces/shared'

const summary = summarizeApplicationEvent(auditEvent)
// Returns: "Flow run run_abc123 is started"
//       or "Updated action "Send Message" in "Slack Notification" Flow."

Best Practices

Regular Reviews

Review audit logs weekly for unusual patterns or security incidents.

Compliance Checks

Perform quarterly compliance audits using audit log queries.

Retention Policy

Set retention based on strictest compliance requirement (usually 1-7 years).

Access Control

Restrict audit log access to security and compliance teams.

Automated Alerts

Configure real-time alerts for critical security events.

Archive Strategy

Archive old logs to cost-effective storage (S3, Glacier, etc.).

Troubleshooting

Check:
  • Audit logging is enabled
  • Database has sufficient storage
  • No errors in application logs
  • Events not filtered by retention policy
Solutions:
  • Add database indexes on frequently queried fields
  • Implement log archival for old events
  • Use pagination for large result sets
  • Consider read replicas for audit queries
Check:
  • User identity mapping is working
  • Project information is available
  • IP extraction configured correctly (reverse proxy)

Users & Permissions

Track permission changes

Security Practices

Security monitoring

SSO Configuration

Track SSO logins

Build docs developers (and LLMs) love

Get started for freeTalk to us