Skip to main content
The Admin Log captures security-relevant events across your organization. It provides an audit trail for compliance and incident investigation.
The Admin Log is restricted to users with Admin or Owner roles. See Roles & Permissions for details.

Events Tracked

The Admin Log captures the following categories of events:

Member Management

  • Member invited to organization
  • Member accepted invitation
  • Member invitation revoked
  • Member removed from organization
  • Member role changed

Authentication

  • Successful login attempts
  • Failed login attempts
  • Account lockout events

Organization & Structure

  • Organization settings changed
  • Team created, updated, or deleted
  • Workspace created, updated, or deleted

Gateway Lifecycle

  • Gateway registered
  • Gateway linked to workspace
  • Gateway unlinked from workspace
  • Gateway archived
  • Diagnostics report uploaded (manual ultra doctor --report only)

Guardrail Configuration

  • Guardrail created (custom guardrails)
  • Guardrail updated (enforcement mode or configuration changed)
  • Guardrail deleted (custom guardrails)
  • Guardrail enabled
  • Guardrail disabled
Creating, deleting, or disabling a security control is logged at warning severity to ensure visibility when protection is removed. Enabling or updating a guardrail is logged at info severity. Each guardrail event includes metadata describing what changed:
FieldDescription
Guardrail slugHuman-readable identifier (e.g., credential-protection)
Categorybuiltin or custom
Enforcement modeThe post-change mode (block, alert, monitor, or redact)
Previous enforcement modeThe pre-change mode, included only when the mode changed
ScopeThe level at which the guardrail is configured (org, workspace, or gateway)

Event Details

Each event in the Admin Log records:
FieldDescription
ActorThe user who performed the action (name and email)
TargetThe entity affected by the action (user, team, workspace, or gateway)
ActionWhat was done (e.g., “member.invited”, “role.changed”)
TimestampWhen the event occurred (UTC)
IP AddressThe IP address of the actor

Identity attribution

Audit and trace entries in the Hub dashboard surface the user behind each event with three visual cues. The full attribution model is documented on the Identities page.
  • Assurance dot — a small coloured dot next to the user’s name indicates how the event was attributed.
    • Green (authenticated) — performed by a logged-in user with an active session.
    • Amber (gateway) — attributed via the gateway’s registered owner rather than a session. Typical for unauthenticated stdio traffic on a personal gateway.
    • Grey — no identity could be attributed.
  • Role chip — shows the user’s organization role (owner, admin, member, or viewer) when known.
  • Non-member badge — appears when an event is attributed to a user who is not a current member of the organization. Use this to spot activity from offboarded employees or external identities that were never granted membership.
Clicking the user’s name in any drawer opens their identity detail page, which shows aggregate activity, peak hours, and any anomaly findings for that identity.

Viewing the Admin Log

The Admin Log is accessible from the Hub web interface:
  1. Navigate to your organization in Hub
  2. Select Admin Log from the sidebar
  3. Browse events chronologically (newest first)
Events can be filtered by action type, actor, target, and time range.