Audit log
Every sensitive operation against Backup, with who did it, when, and what it targeted.
Not verified yet
The audit log is a read-only timeline of every action taken against your Backup data: data sources created, credentials set, policies attached, backup jobs queued / started / completed / failed, storage destinations updated, restore jobs requested, and reaper outcomes.
Use it to answer questions like:
- "Who deleted that data source last Tuesday?"
- "When did Alice rotate the production credentials?"
- "Did the nightly run actually start, or is something wedged?"
- "What policies have been touched in the last week?"
Where to find it
app.norcube.com → Backup → Audit log (under the Operations group in the sidebar).
What's recorded
Each entry captures:
- When the action happened.
- Who did it – a real user (with name and email) or the system
(
actorType: system, used for scheduler / reaper / cascade deletions). - What action – e.g.,
datasource.created,policy.attached,backup_job.completed,storage_destination.deleted. - What it targeted – the target type (
datasource,backup_policy,data_source_policy,storage_destination,backup_job,restore_job) and the target's ID. - Metadata – action-specific payload (e.g., which policy was chosen for a manual run-now; the reason a job was reaped as stuck).
Filters
The log page supports filtering on multiple dimensions at once:
- Date range – since / until.
- Action – multi-select; grouped by category in the picker.
- Target type – filter to all events about data sources, or policies, or backup jobs.
- Target ID – pin to a specific resource. Useful when you start from a single data source's detail page and want its full history.
- Actor – multi-select; cross-service actor resolution means you see human names even when the audit row was written by another Norcube service.
Action categories
Roughly:
| Category | Examples |
|---|---|
| Data source lifecycle | datasource.created, datasource.credentials_set, datasource.deactivated, datasource.deleted, datasource.verify_attempted |
| Backup policies | policy.created, policy.updated, policy.deleted, policy.attached, policy.detached |
| Storage destinations | storage_destination.created, storage_destination.updated, storage_destination.reverified, storage_destination.deleted |
| Backup jobs – lifecycle | backup_job.queued, backup_job.started, backup_job.completed, backup_job.failed, backup_job.manual_run |
| Backup jobs – read access | backup_job.download_link_generated |
| Backup jobs – deletion | backup_job.deleted |
| Backup jobs – reaper (system) | backup_job.reaped_stuck, backup_job.reaped_healed, backup_job.reaped_orphan_cleaned, backup_job.reaped_no_arn |
| Restore | restore_job.created |
The full list is exposed in the action picker in the dashboard.
Behaviour and edge cases
- The log is append-only. You can't delete or edit entries.
- System actors are first-class. The scheduler that kicks off a
scheduled backup, the reaper that cleans up a stuck job, the
cascade-delete worker triggered by an organization deletion – all
show up as
actorType: systemwith a stable identifier you can filter on. - Cross-service resolution. Audit rows reference actors by ID; the log endpoint resolves them through the auth service so you see human names rather than UUIDs.
- Retention. Audit entries are retained for the lifetime of your organization.
Related
- API reference – the audit log endpoint shows in the
Swagger UI as the
Auditresource group.