meshr / Platform / Audit Logs
Audit Logs

Every change, every access — in one place.

A live activity trail of every device added, every policy changed, every connection allowed or denied. Searchable, filterable, and exportable to CSV or JSON — so when the auditor or the on-call asks "what happened?", you have an answer in seconds.

  • Live-tail activity feed, refreshed in near real-time
  • Filter by actor, resource, action, or date
  • Export the full trail to CSV or JSON
  • Built to make SOC 2 / HIPAA / ISO 27001 audits easier
Get early access Pair with Session Recording →
Filters last 1h all actions
live
14:32:18WARNsavas@ denied ssh to prod-db by prod-rbac
14:32:05INFOapi-server-03 joined mesh
14:31:42INFOops@ rotated cert for bastion-eu
14:31:21ERRORcontractor-mac failed auth · 5 attempts
14:30:55INFOali@ created policy dev-read-only
14:30:30INFOapi-server-01 ssh from savas@ · ok
Showing 6 of 1,284 eventsExport CSV / JSON
CSV / JSON export
What it's for

Three jobs, one log.

Built for the moments that matter — incident review, compliance evidence, and a live view of what's happening now.

1

Post-incident review

Filter to the window when the outage started and read every device, policy change, and access event with full actor and source context.

filter: time 14:30–14:45 · action: deny
2

Compliance evidence

Pick the audit window, then export the trail as CSV or JSON. Hand auditors a complete record instead of hand-rolled spreadsheets.

GET /admin/activity/export?format=csv
3

Live activity view

Watch the feed in near real-time as devices join, policies change, and auth succeeds or fails — sorted newest-first.

live-tail · newest first · filterable
What gets captured

The record an auditor would ask for.

Identity, access, and configuration events — recorded by default.

Identity & access events

Every login, SSH session, policy decision, and certificate action — with the actor and source that triggered it. Failed-auth bursts surface immediately.

  • Login / logout
  • SSH session start / end
  • Allow / deny verdict per rule
  • Certificate issued / rotated / revoked

Configuration changes

Policy edits, group membership updates, and role assignments — recorded with the actor who made the change and where they made it from.

# Recorded automatically
- allow group:devs → prod-db :22
+ deny  group:devs → prod-db :22
  actor: [email protected] · web ui

Export to CSV or JSON

Download the full, filtered trail as CSV or JSON — large exports stream so they never time out. Take your audit data anywhere; there's no lock-in on your own record.

CSV JSON filtered & streamed
Coming soon

Streaming export to your SIEM

Planned: push events continuously to Splunk, Datadog, Elastic, S3, or any webhook as they happen. Today, export is pull-based (CSV / JSON download) — streaming integrations are on the roadmap.

SplunkDatadogElasticS3Webhook
Compliance

SOC 2-ready, and compliance-friendly.

The audit trail is built around the controls auditors actually ask about — so gathering evidence is a filter and an export, not a fire drill.

Evidence the frameworks expect

The events map cleanly to common audit controls — access logging, change tracking, and monitoring — so you can produce evidence for the frameworks your customers ask about.

  • SOC 2 — access & change logging (CC6 / CC7)
  • HIPAA — §164.312(b) audit controls
  • ISO 27001 — A.12.4 logging & monitoring
  • Filter to a window, export, attach
Coming soon

Formal SOC 2 certification

meshr is built to be SOC 2-ready, and a formal SOC 2 attestation is on the roadmap — we're not yet certified. If you need a report for vendor review, reach out and we'll share our current status.

Know exactly what happened.

Live audit trail with filter and CSV / JSON export — free while we're in beta. No credit card required.

Get early access See pricing →