Audit log

​

Overview

The Audit Log page captures authentication activity, user and team changes, permission updates, API key actions, model changes, credential activity, and other resource changes. Use it to answer who took an action, what the action changed or accessed, when it occurred, and where the request came from. Poolside collects and processes audit events in batches, so recent events can take up to 5 minutes to appear in the Poolside Console.

​

Review audit events

The Audit Log page lists audit events. Use the table controls to narrow the events you want to review, then select an event to view its details. Prerequisites

• You belong to a team with the tenant-admin role.

Steps

1. In the Poolside Console, navigate to Security > Audit Log.
2. Use the table controls to narrow the events you want to review. For example, filter by date range, actor type, resource type, or action. Your audit-log retention setting constrains the available date range. If you filter by resource type first, the action filter narrows to show only actions for that resource type.
3. Optionally, use the column visibility menu to show or hide columns.
4. Select an event row to open its details.

​

Event details

The event details view provides additional context for a selected audit event. Every event includes:

• Actor type (user, service account, or anonymous) and actor identity
• Action recorded
• Resource type
• Timestamp
• Request ID, user agent, and IP address

The details view also includes event-specific metadata that varies by event type, such as related resources. For example, a Create Agent Session event includes the agent used for the session.

​

Configure audit log retention

Poolside stores audit events in its database for the configured retention duration, which defaults to 90 days. During that time, the events are available from the Poolside Console. Poolside removes events older than the retention duration. You can configure retention with a deployment environment variable. Steps

1. In the Poolside deployment configuration for core-api, set FORGE_AUDIT_HOT_STORAGE_RETENTION_DAYS to the number of days to keep audit events available in Poolside.
   FORGE_AUDIT_HOT_STORAGE_RETENTION_DAYS=90
   
2. Apply the configuration using your Poolside deployment workflow, then redeploy Poolside.

​

Configure S3 export for audit logs

Configure S3 export to have Poolside upload audit logs to S3 as JSON Lines (JSONL) files in Open Cybersecurity Schema Framework (OCSF) format. You can use these files to integrate audit logs with security information and event management (SIEM) systems. Poolside publishes events to S3 in hourly batches, so events can take up to 1 hour to appear. Prerequisites

• You have an S3 bucket and region for audit log export.
• If you use Amazon Web Services Key Management Service encryption, you have the key ID.

Steps

1. In the Poolside deployment configuration, set the following deployment settings:

   Setting	Requirement	Description
   FORGE_AUDIT_S3_BUCKET	Required	S3 bucket for audit log export.
   FORGE_AUDIT_S3_REGION	Required	Amazon Web Services region for the S3 bucket.
   FORGE_AUDIT_S3_PREFIX	Optional	S3 prefix for audit log objects. Defaults to audit.
   FORGE_AUDIT_S3_KMS_KEY_ID	Optional	Amazon Web Services Key Management Service key ID for server-side encryption.

2. Apply the configuration using your Poolside deployment workflow, then redeploy Poolside.