Enterprise audit logging provides extended retention, real-time streaming, SIEM integration, and compliance-ready reporting.
Enterprise vs Standard Audit
| Feature | Standard | Enterprise |
|---|---|---|
| Retention | 90 days | Extended (custom) |
| Export | Manual CSV | Automated, multiple formats |
| Real-time Streaming | No | Yes (SIEM integration) |
| Custom Events | Limited | Extensive |
| Compliance Reports | Basic | SOC 2, HIPAA ready |
| Search | Basic | Advanced query |
| Alerts | Limited | Custom rules |
Extended Retention
Configure Retention
- Go to Settings → Activity tab
- Set retention period
- Save
Retention Options
| Period | Use Case |
|---|---|
| 1 year | Standard enterprise |
| 2 years | Financial services |
| Custom | Specific requirements (contact your account manager) |
Storage Considerations
Extended retention includes:
- All logged events
- Full event details
- Immutable storage
- Encrypted at rest
Event Categories
Authentication Events
| Event | Details Captured |
|---|---|
| login.success | User, IP, device, location |
| login.failed | User, IP, reason, attempts |
| logout | User, session duration |
| mfa.enrolled | User, method |
| mfa.challenge | User, method, result |
| password.changed | User, admin/self |
| session.expired | User, duration |
Team Events
| Event | Details Captured |
|---|---|
| member.invited | Target, role, inviter |
| member.joined | User, method |
| member.removed | Target, remover, reason |
| member.role_changed | Target, from, to, changer |
| member.permissions_changed | Target, changes, changer |
Data Events
| Event | Details Captured |
|---|---|
| data.exported | User, type, date range, format |
| data.accessed | User, resource type, filter |
| report.generated | User, report type, parameters |
| api.accessed | Key, endpoint, response code |
Configuration Events
| Event | Details Captured |
|---|---|
| website.created | Name, domain, creator |
| website.deleted | Name, deleter, reason |
| goal.created | Name, type, creator |
| settings.changed | Setting, old value, new value |
| integration.connected | Type, configurer |
Security Events
| Event | Details Captured |
|---|---|
| sso.configured | Provider, configurer |
| policy.changed | Policy type, changes |
| ip_restriction.updated | IPs added/removed |
| brute_force.detected | Target user, source IP |
| suspicious.activity | Type, details |
Advanced Search
Query Language
Search logs with advanced queries:
user:john@company.com AND action:login.* AND time:>2025-01-01
Query Operators
| Operator | Example | Description |
|---|---|---|
| AND | a AND b | Both conditions |
| OR | a OR b | Either condition |
| NOT | NOT a | Exclude condition |
: | field:value | Field equals |
:* | field:val* | Wildcard match |
:> | time:>date | Greater than |
:< | time:<date | Less than |
Search Examples
# Failed logins from specific IP
action:login.failed AND ip:192.168.1.100
# All admin actions today
role:admin AND time:>2025-01-15
# Data exports last 7 days
action:data.exported AND time:>now-7d
# Settings changes by specific user
user:admin@company.com AND action:settings.*
Saved Searches
Save frequently used queries:
- Execute search
- Click "Save Search"
- Name it
- Access from saved list
Real-Time Streaming
Webhook Delivery
Stream events via webhook:
- Go to Settings → Activity tab → Streaming
- Add webhook URL
- Select events to stream
- Enable
Webhook Payload
{
"event_id": "evt_abc123",
"timestamp": "2025-01-15T14:30:00Z",
"event_type": "member.role_changed",
"actor": {
"id": "user_123",
"email": "admin@company.com",
"role": "admin"
},
"target": {
"id": "user_456",
"email": "john@company.com"
},
"details": {
"from_role": "viewer",
"to_role": "editor"
},
"context": {
"ip": "192.168.1.100",
"user_agent": "Chrome/120",
"location": "San Francisco, CA"
}
}
Event Filtering
Choose which events to stream:
☑ Authentication events
☑ Team management events
☑ Security events
☐ Data access events (high volume)
☐ API access events (very high volume)
SIEM Integration
Supported SIEMs
| SIEM | Integration Method |
|---|---|
| Splunk | HTTP Event Collector |
| Datadog | Log forwarding |
| Elastic | Direct integration |
| Sumo Logic | HTTP source |
| QRadar | Syslog |
| Microsoft Sentinel | API |
Splunk Setup
- Create HTTP Event Collector in Splunk
- Get HEC token
- In Zenovay: Settings → Activity tab → SIEM
- Select Splunk
- Enter HEC URL and token
- Test connection
- Enable
Configuration
┌─────────────────────────────────────────────────────┐
│ SIEM Integration │
│ ─────────────────────────────────────────────────── │
│ │
│ Provider: [Splunk ▼] │
│ │
│ HEC URL: │
│ [https://splunk.company.com:8088/services/... ] │
│ │
│ Token: │
│ [•••••••••••••••••••• ] │
│ │
│ Index: │
│ [zenovay_audit ] │
│ │
│ Events to Forward: │
│ ☑ All security events │
│ ☑ Authentication events │
│ ☑ Team management │
│ ☐ Data access (high volume) │
│ │
│ [Test Connection] [Save] │
└─────────────────────────────────────────────────────┘
Compliance Reports
Pre-Built Reports
| Report | Use Case |
|---|---|
| User Access Report | Who has access to what |
| Login Activity | Authentication patterns |
| Permission Changes | Role and access changes |
| Data Access | Who accessed what data |
| Admin Actions | All administrative activity |
SOC 2 Report Package
Includes:
- Access control audit
- Change management log
- Security event summary
- User activity report
Generating Reports
- Go to Audit → Reports
- Select report type
- Choose date range
- Generate
- Download or schedule
Report Format
┌─────────────────────────────────────────────────────┐
│ SOC 2 Audit Report │
│ Period: January 1-31, 2025 │
│ Generated: February 1, 2025 │
│ ─────────────────────────────────────────────────── │
│ │
│ 1. Access Control Summary │
│ Total Users: 89 │
│ Admins: 5 │
│ Users Added: 8 │
│ Users Removed: 3 │
│ │
│ 2. Authentication Summary │
│ Total Logins: 2,450 │
│ Failed Logins: 45 (1.8%) │
│ MFA Compliance: 100% │
│ │
│ 3. Security Events │
│ Policy Changes: 2 │
│ Suspicious Activity: 0 │
│ Lockouts: 3 │
│ │
│ [Full details in attached CSV] │
└─────────────────────────────────────────────────────┘
Custom Alerts
Alert Configuration
Create custom alert rules:
┌─────────────────────────────────────────────────────┐
│ Create Alert Rule │
│ ─────────────────────────────────────────────────── │
│ │
│ Name: Multiple Failed Logins │
│ │
│ Condition: │
│ Event type: [login.failed ▼] │
│ Count: [5] within [10] minutes │
│ Group by: [user ▼] │
│ │
│ Severity: [High ▼] │
│ │
│ Actions: │
│ ☑ Email: security@company.com │
│ ☑ Slack: #security-alerts │
│ ☐ Webhook │
│ │
│ [Create Alert] │
└─────────────────────────────────────────────────────┘
Alert Types
| Alert | Trigger | Recommended Action |
|---|---|---|
| Brute Force | 5+ failed logins | Investigate IP |
| Privilege Escalation | Role → Admin | Verify legitimate |
| Mass Export | Large data export | Review need |
| Off-Hours Access | Login outside business | Confirm user |
| New Location | Login from new country | Verify user |
Data Integrity
Immutable Logs
Audit logs are:
- Write-once, read-many
- Cannot be modified
- Cannot be deleted (within retention)
- Cryptographically verified
Hash Chain
Each event linked:
Event 1 → Hash → Event 2 → Hash → Event 3
Any tampering breaks the chain.
Verification
Verify log integrity:
- Go to Audit → Verification
- Select date range
- Run verification
- View results
Export Options
Automated Export
Schedule regular exports:
| Frequency | Destination |
|---|---|
| Daily | S3 bucket |
| Weekly | SFTP server |
| Monthly |
Export Formats
| Format | Use Case |
|---|---|
| JSON | System integration |
| CSV | Spreadsheet analysis |
| CEF | SIEM ingestion |
| LEEF | QRadar |
Bulk Export
For large exports:
- Request via Settings → Activity tab → Export
- Receive notification when ready
- Download from secure link
- Link expires in 24 hours
Best Practices
Regular Review
| Review | Frequency |
|---|---|
| Security events | Daily |
| Admin actions | Weekly |
| Access changes | Weekly |
| Full audit | Monthly |
Retention Strategy
Balance:
- Compliance requirements
- Storage costs
- Investigation needs
Alert Tuning
- Start with conservative thresholds
- Tune based on false positives
- Regular review of alert rules
Troubleshooting
Events Missing
If events not appearing:
- Check date/time range
- Verify event types selected
- Allow processing time (few minutes)
SIEM Not Receiving
If SIEM integration fails:
- Verify credentials
- Check network connectivity
- Review error logs
- Test connection
Reports Slow
If reports take long:
- Reduce date range
- Filter to specific events
- Schedule for off-hours