Audit Trail

Track every change, access event, and action across your CRM with comprehensive audit logging.

Overview

The SalesOS audit trail provides a comprehensive, immutable record of every significant action taken within your CRM environment. From individual field changes on a contact record to bulk data exports and administrative configuration updates, the audit system captures the full context of who did what, when, and from where.

Audit logging serves multiple organizational needs: security monitoring, regulatory compliance, dispute resolution, and operational troubleshooting. SalesOS logs events automatically with zero configuration required, ensuring that from the moment your organization starts using the platform, a complete history is being maintained.

What Gets Logged

SalesOS captures a broad spectrum of events across the platform. Every logged event includes the actor, timestamp, action type, and relevant contextual data.

Record Changes

All create, update, and delete operations on CRM records are captured with field-level granularity.

Record Type	Events Logged
Leads	Creation, field updates, status changes, conversion, assignment changes
Contacts	Creation, field updates, merge operations, relationship changes
Accounts	Creation, field updates, ownership transfers, hierarchy changes
Opportunities	Creation, stage changes, amount updates, close date changes, field edits
Quotes	Creation, line item changes, approval status, version changes
Orders	Creation, status transitions, fulfillment updates
Invoices	Generation, payment application, adjustments, write-offs
Contracts	Creation, term changes, renewal events, signature status

Event	Details Captured
Successful Login	User, timestamp, IP address, device/browser, auth method
Failed Login	Attempted username, IP address, failure reason
Password Change	User, timestamp, initiated by (self or admin)
MFA Enrollment	User, method type, timestamp
MFA Challenge	User, success/failure, method used
Session Expiry	User, session duration, reason
Account Lockout	User, trigger (failed attempts threshold)
Impersonation	Admin who initiated, target user, duration

Data Exports

Every data export operation is logged regardless of method:

Manual CSV/Excel exports from list views
Report exports (PDF, CSV, scheduled)
API bulk data retrieval exceeding configurable thresholds
Integration sync pulls (when third-party systems extract data)
Backup operations initiated by administrators

Permission and Configuration Changes

Role assignments and modifications
Permission set changes
Field-level security updates
Sharing rule modifications
Workflow/automation rule changes
Integration credential updates
Feature flag toggles
System configuration parameter changes

API Access

Authentication token generation
API calls exceeding rate limits
Webhook delivery attempts and responses
Third-party integration data access
Bulk API operations

Bulk Operations

Mass record updates (field values, ownership, status)
Bulk imports (CSV, API-driven)
Bulk deletes (with record count and filter criteria)
Data migration operations
Duplicate merge operations

Accessing Audit Logs

SalesOS provides multiple entry points for viewing audit information depending on your role and what you are investigating.

Admin Panel

The primary audit log interface is accessible at Dashboard > Admin > Audit for users with ADMIN role. This view provides:

Full-text search across all audit events
Advanced filtering (date range, user, action type, record type, IP address)
Sortable columns with pagination
Export functionality for compliance reporting
Real-time streaming of new events

Per-Record History

Every CRM record includes a History tab showing all changes specific to that record:

Open any lead, contact, account, opportunity, or other entity.
Click the History or Activity tab.
View chronological list of all field changes, with old and new values displayed inline.
Filter by field name or date range.
See who made each change and whether it was manual, via automation, or via API.

User Activity View

Managers can view activity for specific team members:

Navigate to Admin > Users.
Select a user and click Activity Log.
View all actions taken by that user across the system.
Filter by action type or date range.

Audit Log Fields

Each audit event record contains the following structured data:

Field	Description	Example
Timestamp	Exact UTC time of the event	2026-05-25T14:32:07.445Z
Actor	User who performed the action	[email protected]
Actor Role	System role at time of action	ADMIN
Action	Type of operation performed	UPDATE
Entity Type	The record or resource type	Opportunity
Entity ID	Unique identifier of the affected record	opp_7f3a2b1c
Field	Specific field changed (for updates)	stage
Old Value	Previous value before the change	Qualification
New Value	Value after the change	Proposal
IP Address	Source IP of the request	203.0.113.42
User Agent	Browser or client identifier	Chrome/124.0 (Windows)
Session ID	Authenticated session reference	sess_abc123
Source	How the action was triggered	UI, API, Automation, Import
Organization	Tenant organization ID	org_xyz789
Metadata	Additional context (JSON)	`{"bulk_operation_id": "..."}`

Filtering and Searching

The audit log interface supports sophisticated filtering to help you find specific events quickly.

Filter Dimensions

Filter	Options
Date Range	Preset ranges (today, 7d, 30d, 90d) or custom start/end
User	Search by name or email, multi-select supported
Action Type	CREATE, UPDATE, DELETE, LOGIN, EXPORT, CONFIG_CHANGE, API_CALL
Record Type	Lead, Contact, Account, Opportunity, Quote, Order, etc.
Source	UI, API, Automation, Bulk Import, System
IP Address	Exact match or CIDR range
Field	Specific field name (for update events)

Search Syntax

The search bar supports structured queries:

user:jane.smith action:UPDATE entity:Opportunity
field:stage old_value:Qualification
ip:203.0.113.0/24 date:>2026-05-01

Saved Filters

Administrators can save commonly used filter combinations for quick access:

Configure your desired filters.
Click Save Filter and provide a name.
Optionally share the saved filter with other admins.
Access saved filters from the dropdown menu.

Record-Level Change History

Every entity in SalesOS maintains a complete field-level change history that is accessible directly from the record view.

Change Detail View

Each change entry shows:

The field that was modified
The previous value (with formatting appropriate to field type)
The new value
Who made the change
When the change occurred
Whether it was a manual edit, automation, API call, or import

Comparing Versions

For records with many changes, use the Compare feature to select any two points in time and see a side-by-side diff of all field values, highlighting what changed between those two snapshots.

Reverting Changes

Administrators can revert individual field changes:

Navigate to the record's History tab.
Find the change you want to undo.
Click the Revert icon next to the change.
Confirm the reversion (this creates a new audit entry documenting the revert).

Note: Reverting is itself an audited action. The system logs who initiated the revert, which change was undone, and the resulting values.

The security event log provides visibility into authentication patterns and potential threats.

The security section of the audit trail includes:

Login map: Geographic visualization of login locations
Device inventory: All devices/browsers that have authenticated
Failed login trends: Spike detection for brute-force attempts
Session timeline: Active and historical sessions per user

Alerts and Anomalies

SalesOS can generate alerts for suspicious patterns:

Alert Type	Trigger
Impossible travel	Login from two distant locations within impossible timeframe
New device	First authentication from an unrecognized device
Off-hours access	Login outside configured business hours
Bulk export	Data export exceeding normal volume thresholds
Permission escalation	User role changed to a higher privilege level
Multiple failures	Repeated failed login attempts from same IP or for same user

Data Access Logs

Beyond record changes, SalesOS tracks who views sensitive data, even without making changes.

Read Access Tracking

For records marked as sensitive (e.g., containing PII, financial data, or classified deal terms), the system logs:

Which user viewed the record
When and for how long
Which fields were visible based on their permissions
Whether they exported or copied data from the view

Report Access

All report executions are logged, including:

Report name and parameters
Number of records returned
Whether results were exported
Scheduled report deliveries (recipients and format)

Retention Policies

SalesOS provides configurable retention periods for audit data to balance storage costs with compliance needs.

Default Retention

Event Category	Default Retention	Configurable Range
Record Changes	7 years	1-10 years
Login Events	2 years	1-7 years
API Access	1 year	6 months - 5 years
Data Exports	7 years	3-10 years
Config Changes	10 years	5 years - indefinite
Bulk Operations	5 years	2-10 years

Retention Configuration

Navigate to Settings > Compliance > Audit Retention to adjust retention periods. Changes to retention policy are themselves logged and require ADMIN role.

Archival

When records exceed their retention period:

Data is archived to cold storage (not immediately deleted).
Archived data remains searchable but with higher retrieval latency.
Permanent deletion occurs after a configurable grace period post-archival.
Deletion events are logged in a separate, indefinitely-retained deletion log.

Exporting Audit Data

SalesOS supports multiple export formats and destinations for audit data.

Manual Export

Navigate to Admin > Audit.
Apply filters to scope the export.
Click Export and select format (CSV, JSON, PDF).
Choose whether to include full metadata or summary only.
Download begins (large exports are processed asynchronously with email notification).

Scheduled Exports

Configure recurring exports for compliance teams:

Daily, weekly, or monthly cadence
Configurable filters and format
Delivery via email, SFTP, or cloud storage (S3, GCS, Azure Blob)
Include summary statistics and anomaly flags

SIEM Integration

SalesOS integrates with Security Information and Event Management platforms:

Platform	Integration Method
Splunk	HTTP Event Collector (HEC)
Datadog	Log forwarding via API
Elastic/ELK	Logstash-compatible JSON output
Microsoft Sentinel	Azure Event Hub connector
Sumo Logic	HTTP source endpoint
Generic	Webhook with configurable payload format

Configure SIEM forwarding at Settings > Integrations > SIEM to stream audit events in real-time to your security operations center.

Compliance Use Cases

The audit trail supports requirements across multiple regulatory frameworks.

SOX (Sarbanes-Oxley)

Tracks all changes to financial records (quotes, orders, invoices, revenue)
Maintains separation of duties evidence (who approved vs. who created)
Provides tamper-proof records for financial auditors
Supports access control reviews with permission change history

Documents all processing activities on personal data
Tracks consent changes and data subject requests
Provides evidence for data access records (Article 30)
Supports right of access requests with complete history
Logs data deletion actions for right to erasure compliance

HIPAA

Tracks access to protected health information (PHI) if stored in CRM
Maintains minimum necessary access evidence
Provides breach investigation data
Supports required security incident documentation

SOC 2

Demonstrates continuous monitoring of access controls
Provides evidence of change management processes
Supports logical access reviews
Documents incident response actions

API Access to Audit Logs

Administrators can query audit logs programmatically via the SalesOS API.

Endpoints

GET /v1/audit-trail                    # List audit events (paginated)
GET /v1/audit-trail/:id                # Get specific event detail
GET /v1/audit-trail/stats              # Aggregate statistics
GET /v1/audit-trail/entity/:type/:id   # Events for specific record

Query Parameters

Parameter	Type	Description
startDate	ISO 8601	Filter events after this date
endDate	ISO 8601	Filter events before this date
userId	UUID	Filter by acting user
action	String	Filter by action type
entityType	String	Filter by record type
limit	Number	Page size (max 500)
cursor	String	Pagination cursor

Rate Limits

Audit API endpoints have separate rate limits to prevent performance impact:

100 requests per minute for list queries
1000 requests per minute for single-event lookups
Bulk export via API limited to 10 requests per hour

Best Practices

Establish a review cadence. Assign a team member (typically security or compliance) to review audit logs weekly for anomalies, even if you have automated alerting.
Configure SIEM integration early. Do not wait for an incident to set up external log forwarding. Real-time streaming to your SIEM ensures you have data when you need it most.
Use retention policies aligned to your industry. Financial services and healthcare typically require longer retention (7-10 years). Set policies during initial configuration to avoid gaps.
Leverage per-record history for dispute resolution. When reps disagree about deal ownership or field values, the record history provides an objective timeline that resolves conflicts quickly.
Monitor data export patterns. Unusual export volumes often precede data theft. Set alerts for exports that exceed normal baselines, especially from departing employees.
Document your audit review process. For compliance frameworks like SOC 2, you need to demonstrate not just that logs exist, but that someone actively reviews them with documented procedures.
Limit audit log access appropriately. While transparency is valuable, audit logs can contain sensitive information. Restrict access to ADMIN role and use the API for programmatic access by authorized systems only.
Test your audit trail periodically. Perform controlled changes and verify they appear correctly in the audit log. This validates that your logging is functioning and that no gaps exist.
Use saved filters for recurring investigations. Compliance officers and security teams often look for the same patterns. Save these as named filters to ensure consistency and save time.
Plan for audit data growth. Audit logs grow continuously and can become substantial for active organizations. Monitor storage usage and ensure your retention and archival policies balance compliance needs with cost management.

On this page