Audit Log
Track and monitor all workspace activity with comprehensive audit logging and real-time streaming to your SIEM.
Atmos Pro records all significant workspace activity in an append-only audit log. Enterprise plans can view the full audit trail and stream events in real-time to external SIEM systems via webhooks.
Every auditable action in your workspace generates an event with a category, action, actor, target, and optional metadata. The following categories are tracked:
| Category | Actions | Description |
|---|---|---|
workspace | created, updated, deleted, renamed, slug_changed, logo_updated, settings_changed | Workspace lifecycle and configuration |
team_member | invited, removed, role_changed | Team membership changes |
GitHub | repository_imported, repository_removed | GitHub repository management |
permission | assigned, removed, default_created, default_removed | Repository permission changes |
schedule | created, updated, deleted | Drift detection schedule management |
workflow | dispatched, completed, failed | GitHub Actions workflow runs |
pull_request | opened, updated, merged | Pull request activity |
release | created | GitHub release events |
instance | drift_status_updated | Infrastructure drift detection |
lock | created, deleted | Deployment lock management |
auth | oidc_token_exchange_success, oidc_token_exchange_failure | Authentication events |
billing | subscription changes | Billing and payment events |
entitlement | plan changes | Plan and entitlement updates |
Enterprise plans can access the audit log viewer from the sidebar under Audit Log. The viewer supports:
- Search by actor, action, target, or description
- Category filtering to focus on specific event types
- Organization-wide scope to view events across all workspaces in your organization
- Pagination for navigating large event histories
- Expandable metadata — click any row to reveal the full event metadata
Audit log entries are automatically purged on a daily schedule:
- Enterprise plans: 365-day retention
- All other plans: 30-day retention
The retention purge runs at 3:00 AM UTC daily.
Enterprise plans can forward audit events to external systems (SIEM, log aggregators) in real-time via webhooks using the CloudEvents v1.0 format. See Webhooks for setup instructions.
The audit log viewer and webhooks are available on Enterprise plans. Contact your account team or visit your workspace plan settings to upgrade.