Audit Logs

Zero maintains comprehensive audit logs of all security-relevant events for compliance, troubleshooting, and incident response.

Audit Log Overview

Every audit log entry contains:

  • Timestamp: UTC timestamp of event
  • Actor: User or system that performed action
  • Action: Type of action performed
  • Resource: Affected resource (device, user, policy)
  • Details: Action-specific details
  • Source IP: Origin IP address
  • Result: Success or failure

Event Types

Authentication Events

  • auth.login.success - Successful login
  • auth.login.failure - Failed login attempt
  • auth.mfa.challenge - MFA challenge issued
  • auth.mfa.verify - MFA verification
  • auth.logout - User logout
  • auth.session.expired - Session expiration

Device Events

  • device.enroll - New device enrolled
  • device.unenroll - Device removed
  • device.wipe - Work profile wiped
  • device.lock - Device locked
  • device.policy.sync - Policy synchronized
  • device.compliance.change - Compliance status changed

Policy Events

  • policy.create - Policy created
  • policy.update - Policy modified
  • policy.delete - Policy deleted
  • policy.assign - Policy assigned to group/user

User Events

  • user.create - User created
  • user.update - User modified
  • user.delete - User deleted
  • user.suspend - User suspended
  • user.role.change - Role changed

DLP Events

  • dlp.clipboard.blocked - Clipboard paste blocked
  • dlp.screenshot.blocked - Screenshot blocked
  • dlp.usb.blocked - USB device blocked
  • dlp.sensitive.detected - Sensitive data detected

Viewing Audit Logs

Dashboard

Navigate to Reports → Audit Logs to view logs in the dashboard.

Filtering

Filter logs by:

  • Date range
  • Event type
  • Actor (user)
  • Resource ID
  • Result (success/failure)

CLI

# View recent logs
zero logs audit --limit 100

# Filter by event type
zero logs audit --type auth.login.failure

# Filter by date range
zero logs audit --from 2024-01-01 --to 2024-01-31

# Filter by user
zero logs audit --actor user_abc123

# Export to JSON
zero logs audit --format json --output audit.json

Log Retention

Plan Retention
Starter 30 days
Professional 1 year
Enterprise 7 years (configurable)

Exporting Logs

Manual Export

# Export as CSV
zero logs audit export --format csv --output audit.csv

# Export as JSON
zero logs audit export --format json --output audit.json

# Export specific date range
zero logs audit export --from 2024-01-01 --to 2024-12-31

SIEM Integration

Stream logs to your SIEM in real-time:

  • Splunk: HEC endpoint integration
  • Elastic: Elasticsearch output
  • Datadog: Datadog logs API
  • Custom: Webhook to any endpoint
# Configure SIEM streaming
zero config set audit.siem.type splunk
zero config set audit.siem.endpoint https://splunk.company.com:8088
zero config set audit.siem.token HEC-TOKEN

Log Integrity

Audit logs are tamper-evident:

  • Cryptographic hash chain
  • Signed log entries
  • Immutable storage
  • Integrity verification available
# Verify log integrity
zero logs audit verify --from 2024-01-01

Audit Alerts

Configure alerts for specific events:

# Alert on failed logins
zero alerts create \
  --event auth.login.failure \
  --threshold 5 \
  --window 5m \
  --action email:security@company.com

Related Documentation