Audit log
A tamper-evident, searchable record of every action taken in your LiyaSupport workspace.
The audit log captures every significant action performed by users, API keys, automations, and the Liya system itself. It is designed to support internal security reviews, compliance reporting (SOC 2, ISO 27001, GDPR), and incident investigation.
What is logged
| Category | Events logged |
|---|---|
| Authentication | Sign-in, sign-out, SSO assertion, failed login attempts, password resets, MFA enrollment/removal |
| User management | Invite sent, role changed, user deactivated, user removed |
| API keys | Key created, key revoked, key scopes modified |
| Conversations | Ticket created, assigned, escalated, resolved, deleted, merged; note added; AI draft approved or rejected |
| Knowledge base | Article created, updated, published, archived, deleted; sync completed; gap dismissed |
| Automations | Rule created, updated, enabled, disabled, deleted; rule execution (error-only by default) |
| Integrations | Connected, disconnected, credentials rotated (Shopify, HubSpot, Stripe, Segment, Slack) |
| Billing | Plan upgraded/downgraded, payment method updated, invoice paid (via Stripe) |
| Security settings | SSO enforced, IP allowlist updated, session timeout changed, SCIM provisioning enabled |
| Data export | Contact export triggered, conversation export triggered, audit log export triggered |
Log entry anatomy
Each audit log entry contains:
- Timestamp — ISO 8601 in UTC
- Actor — user display name + ID, or "API Key [key name]", or "Liya System"
- Action — structured
category.verbidentifier (e.g.user.role_changed) - Resource type and ID — what was acted on (e.g.
Conversation cxn_8r2...) - Before / after values — for change events, the previous and new state
- IP address — originating IP for user-initiated actions
- Request ID — for API-initiated actions, the API request ID for cross-referencing
- Session ID — browser session for user-initiated actions
Searching and filtering
Go to Settings → Security → Audit log. You can filter by:
- Date range (up to 12 months on Growth/Scale, 24 months on Enterprise)
- Actor (search by name or email)
- Action category (authentication, conversations, knowledge, etc.)
- Resource ID (search for a specific ticket ID, user ID, etc.)
- IP address
Exporting audit logs
You can export the audit log as a CSV or JSON Lines file for up to 90 days at a time. Export actions are themselves logged in the audit log.
Streaming to SIEM
Enterprise workspaces can stream audit log events to a SIEM in real time via a webhook or direct Amazon S3 / Splunk HEC integration. Go to Settings → Security → Audit log → Streaming to configure a destination.
X-Liya-Signature header using the same HMAC-SHA256 approach as the Webhooks API.Retention
| Plan | Audit log retention |
|---|---|
| Starter | 90 days |
| Growth | 12 months |
| Scale | 24 months |
| Enterprise | Up to 7 years (configurable) |