LiyaSupport
Security

Audit log

A tamper-evident, searchable record of every action taken in your LiyaSupport workspace.

5 min read Updated July 2026

The audit log captures every significant action performed by users, API keys, automations, and the Liya system itself. It is designed to support internal security reviews, compliance reporting (SOC 2, ISO 27001, GDPR), and incident investigation.

Audit log access requires the Admin or Owner role. The log is read-only — no entry can be modified or deleted by workspace users.

What is logged

CategoryEvents logged
AuthenticationSign-in, sign-out, SSO assertion, failed login attempts, password resets, MFA enrollment/removal
User managementInvite sent, role changed, user deactivated, user removed
API keysKey created, key revoked, key scopes modified
ConversationsTicket created, assigned, escalated, resolved, deleted, merged; note added; AI draft approved or rejected
Knowledge baseArticle created, updated, published, archived, deleted; sync completed; gap dismissed
AutomationsRule created, updated, enabled, disabled, deleted; rule execution (error-only by default)
IntegrationsConnected, disconnected, credentials rotated (Shopify, HubSpot, Stripe, Segment, Slack)
BillingPlan upgraded/downgraded, payment method updated, invoice paid (via Stripe)
Security settingsSSO enforced, IP allowlist updated, session timeout changed, SCIM provisioning enabled
Data exportContact export triggered, conversation export triggered, audit log export triggered

Log entry anatomy

Each audit log entry contains:

  • Timestamp — ISO 8601 in UTC
  • Actor — user display name + ID, or "API Key [key name]", or "Liya System"
  • Action — structured category.verb identifier (e.g. user.role_changed)
  • Resource type and ID — what was acted on (e.g. Conversation cxn_8r2...)
  • Before / after values — for change events, the previous and new state
  • IP address — originating IP for user-initiated actions
  • Request ID — for API-initiated actions, the API request ID for cross-referencing
  • Session ID — browser session for user-initiated actions

Searching and filtering

Go to Settings → Security → Audit log. You can filter by:

  • Date range (up to 12 months on Growth/Scale, 24 months on Enterprise)
  • Actor (search by name or email)
  • Action category (authentication, conversations, knowledge, etc.)
  • Resource ID (search for a specific ticket ID, user ID, etc.)
  • IP address

Exporting audit logs

You can export the audit log as a CSV or JSON Lines file for up to 90 days at a time. Export actions are themselves logged in the audit log.

Streaming to SIEM

Enterprise workspaces can stream audit log events to a SIEM in real time via a webhook or direct Amazon S3 / Splunk HEC integration. Go to Settings → Security → Audit log → Streaming to configure a destination.

If you're using the webhook streaming option, sign the delivery with your shared secret and validate the X-Liya-Signature header using the same HMAC-SHA256 approach as the Webhooks API.

Retention

PlanAudit log retention
Starter90 days
Growth12 months
Scale24 months
EnterpriseUp to 7 years (configurable)