Reading the audit log
Open your vault and go to Audit. Every action against the vault is here, newest first.
What a row tells you
Each event answers five questions:
| Field | Example |
|---|---|
| Who | the actor — you, the browser extension, or a named agent |
| What | read, autofill, TOTP, create, update, delete, or an admin action |
| When | timestamp |
| Where | source IP |
| Outcome | success · failure · denied (with a reason) |
The actor type is shown on every row, so an agent's activity never blends into your own.
Narrowing it down
The filter bar lets you focus fast:
- Entry — events touching entries whose name contains your text.
- Actor — everything one person, extension, or agent did (
web,cli:…,agent:…). - Source IP — activity from one address.
- Range — last 24 hours, 7 days, 30 days, all time, or a custom from/to.
- Group by — collapse the view by day, action, outcome, or actor.
To see what was stopped rather than what succeeded, group or filter by outcome → denied. Blocked agents, rate-limited bursts, refused IPs, and failed logins all surface there.
Exporting
Click Export CSV to download the current, filtered view — ready to hand to an auditor or load into a spreadsheet or SIEM. What you export is exactly what your filters show, so scope the view first, then export.
The values themselves are never here
The log records that a credential was read, by whom, and when — never the secret's value. The audit trail is metadata about access, not a second copy of your data. (More in Limits.)