System Audit Log

DFIRe maintains an immutable audit log of all system activities. Every action taken by users and the system is recorded with full details, ensuring a complete chain of custody and compliance trail.

Audit Log Records

Each log entry contains the following information:

  • Action type - The type of operation performed (CREATE, UPDATE, DELETE, etc.)
  • Record type - The entity affected by the action (Case, Item, Attachment, TimelineEvent, User, Project, LegalEntity, System)
  • Description - A human-readable description of the change that was made
  • Timestamp - The exact date and time the action occurred, recorded to the second
  • Username - The user who performed the action
  • IP address - The IP address of the client that initiated the request
  • Detailed change data - A structured diff showing OLD and NEW values for all modified fields, providing a complete record of what changed

System events such as heartbeats include health metrics in their change data, covering database status, Redis latency, and queue statistics.

Filtering the Audit Log

The audit log provides a set of filtering controls to help you locate specific entries:

  • Search box - Free-text search across usernames, actions, labels, and content
  • Actions dropdown - Filter by action type (CREATE, UPDATE, DELETE, etc.)
  • Record Types dropdown - Filter by entity type (Case, Item, Attachment, TimelineEvent, User, Project, LegalEntity)
  • Usernames field - Filter entries by specific users who performed the actions
  • Date Range - Filter entries by a specific time period
  • Reset button - Clears all active filters and returns to the unfiltered view

Immutability

Audit log records cannot be edited or deleted by any user, including administrators. This ensures a tamper-proof record for compliance and legal purposes. Records are stored with cryptographic integrity checks to detect any unauthorized modifications.

The audit log is append-only. Once written, entries cannot be modified or removed. This is by design to maintain forensic integrity.

System Heartbeats

The system periodically records heartbeat entries that capture a snapshot of system health. Each heartbeat contains:

  • Case statistics - Counts of open, closed, and archived cases
  • Evidence item totals - The total number of evidence items across all cases
  • User activity metrics - Information about active users and session counts
  • Queue health - Pending, failed, and successful task counts for the background task queue
  • Redis and database latency - Response time measurements for core infrastructure services
  • Storage utilization - Current storage consumption and availability
  • System version and uptime - The running application version and how long the system has been operational

These heartbeat entries provide a historical record of system health over time, allowing administrators to identify trends and diagnose issues retroactively.

Compliance and Export

The audit log supports regulatory compliance requirements including GDPR, PCI DSS, and other frameworks that mandate activity logging and traceability. All recorded events include sufficient detail to satisfy audit and reporting obligations.

Audit data can be forwarded to external SIEM systems via the Log Integration settings, enabling centralized log management and correlation with other security data sources.

For information on forwarding audit logs to external systems, see the Integrations documentation.