Something goes wrong in a client’s environment. A password was changed, an asset record was modified, a credential was accessed. The first question anyone asks is: who did that?
If your IT documentation platform can’t answer that question — with specifics, with timestamps, with a before-and-after view — you’re flying blind. Weavestream’s built-in audit log is designed to make sure you never are.
Every Mutation, Every Time
Weavestream writes an audit entry for every create, update, delete, archive, and restore operation across the entire platform. That means asset records, passwords, documentation articles, company records, subnets, domains — all of it.
Each entry captures:
- Who — the user who performed the action
- What — the operation type and entity affected
- Where — the actor’s IP address and browser/client at the time
- When — a UTC timestamp
- Before and after — JSON snapshots of the record state, so you can see exactly what changed
That last point is worth emphasising. It’s not just a log of events — it’s a log of changes. If someone edits an asset field, you can expand the entry and see the exact value it held before, and the exact value it holds now. No guessing, no cross-referencing old exports.
Credential Access Is Logged Separately
Password reveals get their own audit category. Every time a user decrypts a credential and reads the plaintext secret, Weavestream writes a reveal entry capturing the actor, timestamp, IP, and which password was accessed.
For MSPs managing credentials across dozens of client environments, this is significant. You have a complete, timestamped access trail for every credential reveal — not just changes to the record, but every time someone actually looked at the secret. That’s the kind of visibility that compliance conversations are built on.
Tamper Protection That Actually Holds
An audit log is only as useful as it is trustworthy. If an operator with a compromised account — or a disgruntled employee — can quietly delete or modify audit entries, the log is worthless.
Weavestream addresses this at the database level. The application’s Postgres role has INSERT-only access to the audit table. There is no UPDATE or DELETE permission. Rewriting or removing audit history requires direct Postgres superuser access — something that cannot be done through the Weavestream API or admin UI, regardless of what role you hold in the application.
In practice: even a fully compromised SUPER_ADMIN account cannot cover its tracks. The log is append-only by design, not by policy.
A UI That Doesn’t Get in the Way
The audit log is accessible at /admin/audit for SUPER_ADMIN users. It’s paginated efficiently with server-side cursor pagination — so even very large audit tables load fast — and the filters let you narrow by date range, actor, action type, and entity type.
Filters are URL-sticky, which is a small thing that turns out to matter a lot in practice. If you find a relevant slice of the log — say, all password reveals in the last 30 days by a specific user — you can bookmark it or share the URL with a colleague and they’ll land on the exact same filtered view.
Each entry has an expandable diff view so you can inspect the before/after JSON without leaving the page.
Compliance Requirements, Covered
If your clients operate under frameworks that require audit trails — or if your own MSP has internal policies around change control and privileged access — Weavestream’s audit model maps cleanly to common requirements:
- Change history — every mutation is logged with full before/after state
- Privileged access monitoring — password reveal audit trail with actor, IP, and timestamp
- Tamper-evident logs — database-role-level append-only protection
- Session tracking — IP and user-agent recorded per event
- MFA enforcement — every account requires TOTP, so the actor identity is reliable
None of this requires extra configuration. It’s on by default, for every tenant, from day one.
Self-Hosted Means You Own the Data
Because Weavestream is self-hosted, the audit log lives in your own Postgres instance. You control retention, you control backups, and you control who has access to the underlying database. If a compliance engagement requires you to export audit records to a SIEM or produce them for an assessor, you’re working with your own data in your own infrastructure — no API rate limits, no vendor intermediary, no requests to a support team.
For MSPs who’ve spent time explaining to clients why their tooling vendor holds sensitive operational data, this point tends to land well.
See It in Action
If you’re running Weavestream, head to /admin/audit and take a look at what’s already been captured. Filter by a specific user or entity type and expand a few diff views. It’s the kind of feature that’s easy to overlook right up until the moment you need it — and when you do need it, you’ll be glad it was running all along.
Not yet on Weavestream? The quickstart guide gets you up and running with Docker Compose in a few minutes.