Audit logs
Audit logs record every significant administrative and security event in your hub. Use them for security review, compliance reporting, investigating unexpected changes, and demonstrating control to auditors.
What’s logged
Section titled “What’s logged”Audit log events fall into the following categories:
Administrative events
Section titled “Administrative events”| Category | Events logged |
|---|---|
| Branding | Logo upload, colour changes, domain changes |
| Competitions | Created, modified, archived, result entered, result reset |
| Participants | Invited, removed, role changed, data exported |
| Groups | Created, renamed, members added/removed, deleted |
| Integrations | Connected, disconnected, settings changed |
| Admin team | Admin invited, role changed, access revoked |
| Billing | Plan upgraded/downgraded, payment method changed |
| SSO | Configured, enforced, certificate rotated, disabled |
| Settings | Any hub setting changed |
Authentication events
Section titled “Authentication events”| Category | Events logged |
|---|---|
| Sign-in | Successful login (with method: password, magic link, SSO) |
| Sign-in failures | Failed login attempts (reason logged, password not logged) |
| MFA | MFA enabled, disabled, challenge issued, challenge completed, backup code consumed |
| Sessions | Token issued, token refreshed, session revoked |
| Account changes | Password changed, email changed, MFA factor added or removed |
Security events
Section titled “Security events”| Category | Events logged |
|---|---|
| Authorisation failures | Requests rejected for missing role, missing hub membership, or missing group membership |
| Rate limit triggers | Authentication rate limits hit, password reset rate limits hit |
| Impersonation | Fanzava staff impersonation sessions started, ended, and any actions performed |
| Permission changes | Role grants and revocations |
Field schema
Section titled “Field schema”Each audit log entry has the following fields:
| Field | Description |
|---|---|
timestamp | UTC timestamp, millisecond precision |
request_id | Correlation ID linking related events for a single request |
hub_id | The hub the event belongs to |
group_id | The group, if the event is group-scoped |
actor_user_id | The user who performed the action (UUID) |
actor_email | The user’s email at time of action |
impersonator_user_id | If a Fanzava staff member was impersonating, their user ID is recorded here |
action_type | The categorical event name (e.g. participant.removed, sso.certificate.rotated) |
resource | The resource affected (e.g. participant:abc123, competition:xyz789) |
metadata | Structured event-specific details (before/after values for changes) |
ip_hash | Hash of the originating IP address (the IP itself is not stored) |
user_agent | User agent string with identifying tokens scrubbed |
Accessing audit logs
Section titled “Accessing audit logs”- Go to Admin → Settings → Audit log
- Filter by date range, event category, action type, or admin user
- Click any event for full details, including the raw metadata field
Log retention
Section titled “Log retention”| Plan | Retention period |
|---|---|
| Free / Starter | 30 days |
| Pro | 365 days (1 year) |
| Enterprise | 2 years (configurable up to 7 years) |
Enterprise hubs with regulatory requirements beyond the default (e.g. HIPAA, financial services compliance) can configure retention up to 7 years. Configure from Admin → Settings → Security → Audit log retention.
Storage architecture
Section titled “Storage architecture”Audit logs are written to Cloudflare Analytics Engine for fast query access during the active retention window. Older logs are progressively archived to Cloudflare R2 with an indexed manifest, supporting on-demand retrieval for compliance audits and legal holds without holding the full dataset in active query infrastructure.
Logs are subject to the same regional data residency as the rest of your hub data — see Data residency.
Log integrity
Section titled “Log integrity”Audit log entries are immutable — they cannot be modified or deleted by hub admins, by Fanzava support, or by Fanzava engineering through normal operations. Tampering with the log requires a separate, separately-credentialed administrative path that itself records all access. The only context in which log records can be redacted is a documented legal hold or regulatory requirement, with chain-of-custody preserved.
Exporting logs
Section titled “Exporting logs”Three export options are supported, depending on plan:
| Export type | Plans |
|---|---|
| CSV / JSON download | Pro, Enterprise |
| Scheduled export to S3-compatible storage | Enterprise |
| SIEM integration (Splunk, Datadog, Sumo Logic, generic webhook) | Enterprise |
For SIEM integration, configure the destination from Admin → Settings → Security → SIEM. Fanzava streams events in near real-time using the Common Event Format (CEF) or JSON, depending on destination. Buffering and retry on delivery failure is automatic — no events are lost during destination outages of up to 24 hours.
Impersonation review
Section titled “Impersonation review”All Fanzava staff impersonation sessions are recorded in your hub’s audit log with full context: which staff member, justification reference, duration, and every action performed during the session. Fanzava reviews staff impersonation activity monthly as part of internal security operations. Enterprise customers can request the review summary for their hub on request.
For full detail of impersonation guardrails, see Impersonation.