oCoreoCore Docs
Admin Guide

Audit Logs

Track user actions, login events, and system changes for compliance and security monitoring.

oCore records audit logs for every significant action performed in your organization. Audit logs provide a tamper-resistant record of who did what and when, supporting compliance requirements, security investigations, and operational troubleshooting.

Audit Logs

View and filter audit logs for your organization.

Open in Dashboard

What Events Are Logged

oCore audit logs capture events across all resource types:

Authentication Events

EventDescription
auth.loginUser logged in (includes method: password, TOTP, passkey)
auth.logoutUser logged out
auth.login_failedFailed login attempt (wrong password, invalid TOTP)
auth.totp_enabledUser enabled two-factor authentication
auth.totp_disabledUser disabled two-factor authentication
auth.passkey_registeredUser registered a passkey (WebAuthn)
auth.password_changedUser changed their password
auth.password_resetPassword reset requested

Organization Events

EventDescription
org.updatedOrganization name, slug, or settings changed
org.settings_updatedOrganization settings modified
member.invitedNew member invitation sent
member.joinedNew member accepted invitation
member.role_changedMember's role was updated
member.removedMember was removed from organization

Infrastructure Events

EventDescription
server.createdNew server added
server.updatedServer settings changed
server.deletedServer removed
instance.createdNew instance created
instance.startedInstance started
instance.stoppedInstance stopped
instance.restartedInstance restarted
instance.deletedInstance deleted
instance.settings_updatedInstance settings changed

Deployment Events

EventDescription
deployment.triggeredDeployment started (manual or webhook)
deployment.completedDeployment finished successfully
deployment.failedDeployment failed
deployment.rolled_backDeployment rolled back via snapshot

Data Management Events

EventDescription
backup.createdBackup created (manual or scheduled)
backup.restoredBackup restored
backup.deletedBackup deleted
database.createdDatabase created
database.droppedDatabase dropped
database.neutralizedDatabase neutralized

Access Control Events

EventDescription
role.createdCustom role created
role.updatedRole permissions changed
role.deletedCustom role deleted
api_key.createdAPI key created
api_key.revokedAPI key revoked
webhook_endpoint.createdWebhook endpoint created
webhook_endpoint.deletedWebhook endpoint deleted

Viewing Audit Logs

Dashboard View

The audit log page in the dashboard provides a filterable, searchable view of all events. Each log entry shows:

  • Timestamp -- When the event occurred (UTC)
  • Actor -- Who performed the action (user email or "system" for automated events)
  • Action -- The event type (e.g., instance.created)
  • Resource -- The affected resource type and ID
  • Details -- Additional context (IP address, user agent, changed fields)

API Access

curl "https://ocore.example.com/api/audit-logs?limit=50&offset=0" \
  -H "Authorization: Bearer $TOKEN"
ocore audit list --limit 50

Filtering

Filter audit logs by multiple criteria:

curl "https://ocore.example.com/api/audit-logs?\
action=instance.created&\
userId=USER_UUID&\
from=2026-02-01T00:00:00Z&\
to=2026-02-28T23:59:59Z&\
limit=50" \
  -H "Authorization: Bearer $TOKEN"

Available filters:

FilterDescriptionExample
actionEvent typedeployment.triggered
userIdActor user IDUUID
resourceTypeResource categoryinstance, server, member
resourceIdSpecific resource IDUUID
fromStart date (inclusive)ISO 8601 timestamp
toEnd date (inclusive)ISO 8601 timestamp
limitResults per page50
offsetPagination offset0

Login Event Tracking

Login events receive special attention in the audit log because they are the most security-sensitive:

What Login Logs Capture

FieldDescription
IP AddressThe client's IP address
User AgentBrowser or API client identifier
Auth MethodHow the user authenticated (password, TOTP, passkey, API key)
Success/FailureWhether the attempt succeeded
Failure ReasonWhy it failed (wrong password, invalid TOTP code, account locked)

Suspicious Login Detection

Review login events for security anomalies:

  • Multiple failed attempts from the same IP (possible brute force)
  • Logins from unusual geographic locations
  • Logins at unusual times
  • New user agents appearing
# View recent failed login attempts
curl "https://ocore.example.com/api/audit-logs?action=auth.login_failed&limit=20" \
  -H "Authorization: Bearer $TOKEN"

Data Retention

Audit log retention depends on your deployment configuration:

TierRetentionNotes
Default90 daysSuitable for most organizations
Extended1 yearFor compliance requirements (GDPR, SOC 2)
CustomConfigurableSet via organization settings

Audit Logs Are Immutable

Once written, audit log entries cannot be modified or deleted through the API. This ensures the integrity of the audit trail for compliance purposes.

Integration with External Systems

Exporting Audit Logs

For long-term archival or SIEM integration, export audit logs periodically:

# Export logs for a date range
curl "https://ocore.example.com/api/audit-logs/export?\
from=2026-02-01T00:00:00Z&\
to=2026-02-28T23:59:59Z" \
  -H "Authorization: Bearer $TOKEN" \
  -o audit-export.json

Webhook Notifications

Configure webhook endpoints to receive real-time audit event notifications. See Webhooks for setup instructions.

Required Permissions

ActionPermission
View audit logsview:audit_logs
Export audit logsview:audit_logs

All system roles except Viewer have audit log view access by default.

Troubleshooting

Audit logs missing events

  • Events are logged asynchronously -- there may be a brief delay (typically under 1 second)
  • Check your date range filter -- events use UTC timestamps
  • Automated system events (e.g., scheduled backups) show "system" as the actor

Cannot access audit logs

  • Verify your role has the view:audit_logs permission
  • Audit logs are scoped to your current organization
  • Some events may only be visible to organization Owners

Audit log query is slow

  • Use specific filters (action, date range, userId) rather than fetching all logs
  • Reduce the limit parameter for faster responses
  • Use pagination (offset) to browse large result sets

Events from API keys not showing user

  • API key events show the key name and ID rather than a user email
  • Cross-reference with the API key list to identify the creator
Was this page helpful?
Edit on GitHub

MCP Invites

Create and manage MCP invite links to give external developers scoped access to your organization's Odoo instances through AI tools.

Security

Authentication, 2FA, passkeys, session management, encryption, rate limiting, and network security.

On this page

What Events Are LoggedAuthentication EventsOrganization EventsInfrastructure EventsDeployment EventsData Management EventsAccess Control EventsViewing Audit LogsDashboard ViewAPI AccessFilteringLogin Event TrackingWhat Login Logs CaptureSuspicious Login DetectionData RetentionIntegration with External SystemsExporting Audit LogsWebhook NotificationsRequired PermissionsTroubleshootingAudit logs missing eventsCannot access audit logsAudit log query is slowEvents from API keys not showing user