Audit Trail & Activity Logs

Audit Trail & Activity Logs

KyberAccess maintains a comprehensive audit trail that records every action taken within the system. From visitor check-ins and setting changes to user logins and data exports, every event is logged with a timestamp, the user who performed the action, and the originating IP address. This audit trail is essential for security investigations, compliance audits, and operational accountability.

This guide explains how to access, search, filter, and export audit logs.

Accessing the Audit Trail

1. Log in to your KyberAccess dashboard at app.kyberaccess.com.
2. Navigate to Settings from the left sidebar.
3. Click Audit Trail under the Security section.
4. The Audit Log viewer opens, displaying the most recent events in reverse chronological order.

Note: Only users with the Owner or Admin role can access the Audit Trail. Managers, Front Desk, and View Only users do not have access.

Understanding Log Entries

Each audit log entry contains the following information:

• Timestamp — The exact date and time the action occurred (displayed in your organization's time zone)
• User — The name and email of the person who performed the action
• Action — A description of what happened (e.g., "Checked in visitor," "Updated settings")
• Category — The type of action (Visitor, User, Settings, Security, Reports, Integration)
• Target — The entity affected (e.g., a specific visitor's name, a setting name, a user account)
• IP Address — The IP address from which the action was performed
• Device/Browser — The browser and operating system used
• Location — The KyberAccess location where the action occurred (for multi-location setups)

Types of Events Logged

KyberAccess logs the following categories of events:

Visitor Events

• Visitor checked in (manual or kiosk)
• Visitor checked out
• Visitor denied entry
• Visitor record edited
• Visitor record deleted
• Pre-registration created
• Pre-registration modified or cancelled
• ID scanned and verified
• Photo captured
• Photo match passed / failed
• NDA/waiver signed
• Watchlist screening triggered
• Badge printed
• Visitor notification sent to host

User & Account Events

• User logged in
• User logged out
• Failed login attempt
• Password changed
• Password reset requested
• New user invited
• User role changed
• User deactivated or removed
• Two-factor authentication enabled/disabled

Settings Events

• Check-in flow modified
• Custom field added, edited, or removed
• Badge template updated
• NDA/waiver template updated
• Watchlist updated
• Notification settings changed
• Integration enabled or disabled
• Kiosk mode settings changed
• Organization branding updated

Security Events

• Watchlist hit detected
• BOLO alert triggered
• Emergency lockdown activated
• Emergency lockdown deactivated
• Evacuation mode activated
• Data export performed
• Audit log accessed
• API key created or revoked

Report Events

• Report generated
• Report exported
• Report shared
• Scheduled report created or modified

Searching and Filtering Logs

Quick Search

1. Use the search bar at the top of the Audit Log viewer.
2. Enter any keyword — a user name, visitor name, action type, or IP address.
3. Results filter in real-time as you type.

Advanced Filters

1. Click the Filters button (funnel icon) to expand the filter panel.
2. Apply one or more filters:
   • Date Range — Select a start and end date
   • User — Filter by the user who performed the action
   • Category — Select one or more categories (Visitor, User, Settings, Security, Reports, Integration)
   • Action Type — Filter by specific action (e.g., "Checked in," "Login failed")
   • Location — Filter by location
   • IP Address — Search for a specific IP
3. Click Apply Filters.
4. To clear filters, click Reset.

Tip: Use the IP address filter to investigate suspicious activity from unknown addresses.

Viewing Event Details

1. Click on any log entry to expand its details.
2. The detail panel shows:
   • Full action description with before/after values (for edits)
   • Related entities (e.g., which visitor, which setting)
   • Session information (login session ID, duration)
   • Request metadata (API endpoint, HTTP method if triggered via API)
3. For visitor events, click View Visitor Record to jump to the visitor's profile.
4. For user events, click View User Profile to see the user's account.

Exporting Audit Logs

1. Apply any desired filters to narrow the results.
2. Click the Export button in the top-right corner.
3. Choose a format:
   • CSV — All filtered events as raw data
   • PDF — Formatted report with summary statistics
4. Click Download.
5. For exports covering more than 100,000 events, the export runs in the background and you'll receive an email with a download link.

Note: Audit log exports are themselves logged in the audit trail for accountability.

Retention Policy

KyberAccess retains audit logs based on your subscription plan:

After the retention period, logs are automatically archived. Archived logs can be retrieved upon request for Enterprise plans.

To view your current retention setting:

1. Go to Settings → Security → Audit Trail.
2. The retention period is displayed at the top of the page.

Real-Time Activity Feed

For live monitoring, KyberAccess provides a real-time activity feed:

1. On the main Dashboard, look for the Activity Feed widget on the right side.
2. This widget shows events as they happen in real-time.
3. Click any event in the feed to view its full details.
4. The feed auto-refreshes every 10 seconds.

To add the Activity Feed widget to your dashboard:

1. Click Customize Dashboard (gear icon).
2. Drag the Activity Feed widget to your preferred position.
3. Click Save Layout.

Security Alerts from Audit Logs

KyberAccess can automatically detect suspicious patterns in the audit trail and alert you:

1. Go to Settings → Security → Alert Rules.
2. Click + New Alert Rule.
3. Configure the alert:
   • Multiple failed login attempts — Alert after N failed logins from the same user or IP
   • Login from new IP — Alert when a user logs in from an IP not seen before
   • Bulk data export — Alert when a large export is performed
   • Settings changes — Alert when critical settings are modified
   • After-hours activity — Alert for actions performed outside business hours
4. Choose the notification method:
   • Email to admin
   • Push notification
   • Slack message
5. Click Save Rule.

API Access to Audit Logs

Audit logs are available via the KyberAccess REST API:

GET /api/v1/audit-logs

Query parameters:

• start_date — ISO 8601 date
• end_date — ISO 8601 date
• category — Filter by category
• user_id — Filter by user
• limit — Number of results (max 1000 per page)
• offset — Pagination offset

See the API Reference documentation for full details.

Compliance Use Cases

The audit trail supports various compliance requirements:

• SOC 2 — Demonstrates access control and change management logging
• GDPR — Shows data access and processing activities for data subject requests
• HIPAA — Documents access to facilities containing PHI
• ITAR — Logs visitor screening and access control for restricted facilities
• Corporate policies — Provides evidence for internal investigations and HR reviews

Troubleshooting

Best Practices

• Review the audit trail weekly — Look for unusual patterns, failed logins, or unauthorized setting changes.
• Set up security alerts — Don't rely on manual review alone. Automated alerts catch issues faster.
• Export logs before retention expiry — If you need long-term records, export and archive them externally.
• Use the audit trail for training — Review common errors or incorrect workflows to improve staff training.
• Document audit procedures — For compliance, maintain a written procedure for how and when you review audit logs.