What’s captured
Audit logs capture admin and agent actions across tickets and moderation. Typical events include:
- Ticket created, assigned, tagged, closed
- Automation rule executed (rule id + outcome)
- Moderation actions (warn/timeout/kick/ban) and approvals
- Security changes (token created, SSO policy updated)
Retention
Retention is configurable per workspace. Common policies are 30 days (small communities) and 365 days (regulated environments).
Warning
Retention affects exports. If you need long-term storage, enable export to your own storage before you go live.
Export and downstream storage
Export audit events on a schedule (daily) or stream them via webhook. Exports support JSONL for easy ingestion into SIEM tools.
JSONL audit event (example)
{"type":"ticket.closed","at":"2025-12-01T12:30:00Z","actor":{"id":"usr_...","role":"agent"},"ticketId":"tkt_...","meta":{"resolution":"refund"}}Integrity guarantees
Audit logs are append-only. Events include a unique id and a hash-chain field so downstream systems can detect missing or reordered events.
Note
Hash chaining is a defense-in-depth measure. Your compliance requirements may still require separate log storage.