> ## Documentation Index
> Fetch the complete documentation index at: https://docs.incident.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Introduction

> Track configuration and permission changes across your incident.io account.

Audit logs give you visibility over the changes made within your incident.io account. They cover configuration changes and permission updates (e.g. a user being given a new role, or granted access to a private incident). Audit logs are available on the [Enterprise plan](https://incident.io/pricing) and powered by [WorkOS](https://workos.com).

Each entry conforms to a versioned schema, so you can parse older events even as the schema evolves. Entries are retained for one year (starting from 18 April, 2023).

## Viewing your audit log

You can view your audit log from [Settings > Security](https://app.incident.io/~/settings/security). From there you can:

* Browse entries with filters for target, event type, actor, and date
* Export entries for a given time period to CSV
* Set up a log stream to a provider of your choice (e.g. Splunk or Amazon S3)

## Understanding entries

Each audit log entry includes:

* **Actor** — who or what made the change (user, API key, system, workflow, external resource, or alert)
* **Action** — the event type (e.g. `api_key.created`)
* **Targets** — what was modified
* **Context** — location and user agent, where applicable
* **Version** — schema version for backwards compatibility

## Actor types

### Users

Changes triggered by a user in your account.

```json theme={null}
{
  "type": "user",
  "id": "01G0J1EXE7AXZ2C93K61WBPYEH",
  "name": "Kelsey Mills",
  "metadata": {
    "user_base_role_slug": "admin",
    "user_custom_role_slugs": "engineering,security"
  }
}
```

### API keys

Changes triggered by an API key.

```json theme={null}
{
  "type": "api_key",
  "id": "01G0J1EXE7AXZ2C93K61WBPYEH",
  "name": "Lisa's development key",
  "metadata": {
    "api_key_roles": "incident_creator,global_access"
  }
}
```

### Systems

Changes triggered by a system — either a third-party integration (e.g. a user created via Slack) or an internal process (e.g. a severity created during setup).

```json theme={null}
{
  "type": "system",
  "id": "incident_setup",
  "name": "incident.io (setup)",
  "metadata": {}
}
```

### Workflows

Changes triggered by a workflow, such as auto-inviting users to a private incident.

```json theme={null}
{
  "type": "workflow",
  "id": "01G0J1EXE7AXZ2C93K61WBPYEH",
  "name": "Auto-invite security team to private incidents",
  "metadata": {}
}
```

### External resources

Changes triggered by an [external resource](/api-reference/introduction) (also known as an attachment).

```json theme={null}
{
  "type": "external_resource",
  "id": "01G0J1EXE7AXZ2C93K61WBPYEH",
  "name": "#1234 Increased API latency",
  "metadata": {
    "external_resource_type": "pager_duty_incident",
    "external_resource_external_id": "q1234"
  }
}
```

### Alerts

Changes triggered by an alert (e.g. from Datadog or Grafana).

```json theme={null}
{
  "type": "alert",
  "id": "01G0J1EXE7AXZ2C93K61WBPYEH",
  "name": "Staging: pod CPU high",
  "metadata": {
    "alert_source_id": "01HB0ZG3B0HM04RCXNSPV1EDYG"
  }
}
```