The Audit Events Logging feature in EagleSafe ZTB lets you observe and track all changes to your tenant network infrastructure — new devices joining, access policy modifications, user role changes, and many other key events.
Access the audit log
Go to Activity → Audit Events in the dashboard. The view provides a centralized log of all network events. Use the search bar to search by activity name, and apply filters for timeframe, event type, and user.
Tracked events
Peer management
- Peer added by user / added with setup key
- Peer removed, renamed
- Peer SSH server enabled / disabled
- Peer login expiration enabled / disabled
User management
- User joined, invited, role updated
- User blocked, unblocked, deleted
Group management
- Group created, updated, deleted
- Group added to / removed from: peer, user, setup key, DNS disabled management setting
Policy management
- Policy added, updated, removed
Setup key management
- Setup key created, updated, revoked, overused
Route management
- Route created, updated, removed
Account management
- Account created
- Peer login expiration duration updated / enabled / disabled
- Peer approval enabled / disabled
Nameserver management
- Nameserver group created, updated, deleted
Token management
- Personal access token created / deleted
Integration management
- Integration created, updated, deleted
Other events
- Transferred owner role
- Posture check created / updated / deleted
- User logged in peer
- Peer login expired
- Dashboard login
SIEM integration
EagleSafe ZTB can stream audit events to your SIEM system in real time. Contact your EagleSafe administrator to enable event streaming for your tenant.
Note on unknown users
If audit events show unknown as the name or unknown@unknown.com as the email, this indicates that the encryption key used to store events has been corrupted or lost. This is relevant for self-hosted deployments only. The encryption key is the server.store.encryptionKey field in config.yaml.
