Audit Log
The audit log is the admin view of security-relevant activity in Sibyl. It is restricted to Sibyl.Admin and Sibyl.Owner.
Open The Audit Log
In the web UI, open Settings, Admin, Audit Log. The table supports filtering by:
- User.
- Action.
- Resource type and resource ID.
- Time range.
The API surface is /api/admin/audit and supports paginated JSON responses. Exports are available as JSON and CSV for incident review or SIEM ingestion.
Events To Expect
The audit surface records security and data-governance events such as:
| Event family | Examples |
|---|---|
| Authentication | auth.oidc.login, auth.token.refresh, auth.local.login, auth.break_glass.login, logout |
| API keys | auth.api_key.create, auth.api_key.revoke, and scoped access decisions |
| Memory | memory.remember, memory.recall, context receipts, reflection, promotion, deletion |
| Access control | org.member.update_role, project.member.update_role, invitations, session revocation |
| Operations | Backup actions, restore drills, settings updates |
Event details should be useful for investigation without exposing secrets. Exported rows should be treated as sensitive operational data.
Break-glass login details include the actor name, email, incident reason, break-glass start timestamp, and configured expiry so incident reviewers can tie emergency access back to an approved window.
Retention
Set retention in the deployment overlay to match your organization's policy. The default operational expectation is to keep enough history to investigate account compromise, data deletion, and backup events. Forward exports or logs to your SIEM or log warehouse if centralized retention is required.
Incident Review
For a suspected account issue:
- Filter by user and the suspected time window.
- Check login events and IP/user-agent metadata.
- Review API key creation and revoke events.
- Review memory and project actions after the suspicious login.
- Export JSON for a lossless record, then CSV for spreadsheet review if needed.
For denied member access to the admin audit surface, expect a forbidden response. That denial is intentional and should be covered by admin-access tests.