Audit Log
Every database connection through DAAM is logged with the developer's identity and session metadata. The audit log provides a tamper-resistant record for compliance and security review, covering both database connections and administrative activity across your organization.
Overview
The audit log captures two categories of events scoped to your organization:
- Connections — every database session proxied through a DAAM agent, including who connected, which database, duration, query count, and the policy version enforced.
- Activity — administrative actions such as membership changes, invite management, SCIM provisioning events, and organization-level operations.
Both categories are accessible from the Audit page in the console, organized into two tabs. All data is scoped to the current organization and cannot be viewed across organizations.
Audit records are append-only and cannot be modified or deleted through the console. Retention is controlled by your billing plan, ensuring a tamper-resistant record for compliance purposes.
The audit log below shows a live preview of the connections table with sample data. Use the filter dropdowns and time range picker to explore the interface.
5 audit entries
| User | Database | Connected At | Duration | Queries | Close Reason | Status |
|---|---|---|---|---|---|---|
| [email protected] | prod-users (us-east-1) | 2026-03-13 09:15:00 UTC | 2h 14m | 847 | client | closed |
| [email protected] | prod-analytics (eu-west-1) | 2026-03-13 10:42:00 UTC | 23 | — | open | |
| [email protected] | staging-main | 2026-03-13 08:05:00 UTC | 45m | 312 | upstream | closed |
| [email protected] | prod-analytics (eu-west-1) | 2026-03-12 16:30:00 UTC | 1h 8m | 1,204 | client | closed |
| [email protected] | prod-users (us-east-1) | 2026-03-12 14:00:00 UTC | 3m | 5 | policy revoked | closed |
What's Logged: Connections
Every database connection proxied through a DAAM agent generates an audit record with the following fields:
| Field | Description |
|---|---|
| User | Email address of the developer who connected |
| Database | Name of the target database |
| Agent | The agent that proxied the connection |
| Connected at | Timestamp when the connection was established |
| Duration | Total session length (computed from connect and disconnect times) |
| Queries | Number of SQL queries processed during the session |
| Close reason | Why the connection ended (e.g. client terminated, upstream closed) |
| Policy version | Identifier of the exact policy set enforced at connection time |
| Access requests | IDs of any access requests that contributed to granting this connection |
The agent reports connection lifecycle events to the control plane automatically. No additional configuration is required to enable audit logging.
What's Logged: Activity
Organization-level administrative actions are recorded as activity events. Each event captures the action type, the actor who performed it, and contextual metadata.
| Category | Event Types |
|---|---|
| Members | Member added, member removed, role changed |
| Invites | Invite created, invite accepted, invite revoked |
| Organization | Org created, org updated, org deleted, org restored |
| SCIM | User provisioned, user updated, user deleted, email changed, group created, group updated, group deleted, SCIM enabled/disabled, token created/revoked |
Each activity event records the actor (the user who performed the action, or "System" for automated operations), the target (the affected user, invite, or group), and additional metadata specific to the event type.
Viewing the Audit Log
Navigate to Audit in the console sidebar. The audit page has two tabs:
Connections Tab
The default tab shows all database connections for your organization. The table displays user, database, connected at, duration, queries, close reason, and status columns.
Use the filters at the top of the table to narrow results:
- User — filter by a specific organization member.
- Database — filter by a specific database registered in your organization.
- Time window — select a preset range (1 hour, 24 hours, 7 days, 30 days, 90 days) or specify a custom date range.
The default time window is the last 24 hours. Results are paginated for large result sets.
Activity Tab
Click the Activity tab to view administrative events. The table displays event type, actor, target, details, and time columns.
Activity events can be filtered by:
- Event category — filter by Members, Invites, Organization, or SCIM events.
- Actor — filter by the user who performed the action.
- Time window — same preset and custom range options as the Connections tab.
Time Window Picker
Both tabs share a time window picker for scoping results to a specific period. Click the time range button to open the picker.
| Preset | Description |
|---|---|
| Last 1 hour | Connections or events from the past hour |
| Last 24 hours | Default time window when no range is specified |
| Last 7 days | One week of history |
| Last 30 days | One month of history |
| Last 90 days | Three months of history |
| Custom range | Specify exact start and end dates using date pickers |
Custom date ranges cannot extend into the future. The end date is inclusive, so selecting a single day shows all events from midnight to midnight of that day. Changing the time window preserves all other active filters.
Connection Details
Click the View button on any connection row to open a detail panel on the right side of the screen. The panel displays:
- Full connection metadata — user, database, agent, connected at, disconnected at, duration, close reason, and query count.
- Policy version — the exact policy version that was enforced during this connection.
- Session event timeline — a chronological list of events that occurred during the session.
- Access requests — links to any access requests that contributed to granting this connection.
- Raw JSON — the complete connection record in JSON format, collapsed by default. Useful for copying into external tools or support tickets.
Each connection is also accessible at a direct URL for bookmarking or sharing with other administrators in your organization.
Activity Details
Click the View button on any activity row to open a detail panel showing:
- Event type — the specific action that occurred, with a human-readable label.
- Actor — email of the user who performed the action, or "System" for automated operations.
- Target — the affected user, group, or resource, resolved contextually based on event type.
- Full metadata — all event-specific details such as role changes, email changes, or SCIM external IDs.
- Raw JSON — the complete event metadata in JSON format for inspection.
Retention
Audit records are automatically cleaned up based on your billing plan and server-side retention configuration. A background job runs hourly to remove records that exceed the retention window.
| Plan | Retention Period |
|---|---|
| Free | 7 days |
| Pro | 90 days |
| Enterprise | Unlimited |
Both connection records and activity events are subject to the retention period defined by your plan.
Records are permanently deleted when they exceed the retention window. Export any records you need for long-term archival before they age out. Enterprise plans with unlimited retention still benefit from the hourly cleanup job to remove orphaned records.
Compliance
The audit log is designed with compliance requirements in mind:
- Append-only — audit records cannot be modified or deleted through the application. Only the automated retention cleanup removes expired records.
- Identity-linked — every connection and activity event is tied to a specific user identity, providing a clear chain of accountability.
- Policy-versioned — connection records capture the exact policy version enforced, so you can reconstruct what access controls were active during any session.
- Organization-scoped — audit data is strictly isolated to each organization. Members of one organization cannot view another organization's audit records.
- Configurable retention — retention periods align with your compliance requirements, from 7-day windows for development to unlimited retention for regulated environments.
For organizations subject to SOC 2, HIPAA, or similar frameworks, the audit log provides the connection-level visibility and administrative action tracking needed to demonstrate access control enforcement and change management.