Audit Logging
Rime records every user action as a structured audit log entry. Audit logging is always on — it cannot be disabled. Logs capture who did what, when, and whether the action succeeded or failed.
Audit logging uses a fire-and-forget pattern: the log write happens asynchronously and never blocks the operation being logged. If the log write fails (e.g., a transient database error), the operation still completes successfully. Failed log writes are retried, and persistent failures are reported to Rime’s internal monitoring.
What is logged
Every action a user takes in Rime generates an audit log entry. The categories of logged events include:
Authentication events
| Event | Details captured |
|---|---|
| Login (success) | User, authentication method (SSO/OAuth/email), source IP, timestamp |
| Login (failure) | Attempted user, authentication method, failure reason, source IP |
| Logout | User, session duration |
| Session expiry | User, session age |
| Session revocation | Revoking administrator, target user |
| Password change | User (password value is never logged) |
| Password reset request | User email |
Resource changes
| Event | Details captured |
|---|---|
| Resource created | User, resource type, resource name, configuration values |
| Resource modified | User, resource type, resource name, changed fields (before and after values) |
| Resource deleted | User, resource type, resource name |
| Infrastructure plan | User, resources in plan, planned actions (create/modify/destroy) |
| Infrastructure apply | User, resources applied, result (success/failure) |
Resources include Snowflake objects (databases, schemas, warehouses, roles), AWS resources (S3 buckets, IAM roles), connectors, pipelines, dbt projects, alert rules, and masking policies.
Data governance events
| Event | Details captured |
|---|---|
| Column classified | User, column path, privacy level, PII type |
| Column reclassified | User, column path, old and new classification |
| Masking policy changed | User, policy name, affected privacy level or PII type |
| Role visibility granted | User, role, privacy level or PII type |
| Role visibility revoked | User, role, privacy level or PII type |
| PII scan completed | Scan scope, columns flagged, detection counts |
| PII detection dismissed | User, column path, dismissed pattern |
Operational events
| Event | Details captured |
|---|---|
| Connector run started | User (or scheduler), connector name |
| Connector run completed | Connector name, result, row count, duration |
| Pipeline run started | User (or scheduler), pipeline name |
| Pipeline step completed | Pipeline name, step name, result |
| dbt run completed | Project name, result, model count, test count |
| Report generated | User, report type, scope |
| Report exported | User, report type, format |
Log format
Each audit log entry is a structured JSON object with these fields:
| Field | Type | Description |
|---|---|---|
id | UUID | Unique identifier for the log entry |
timestamp | ISO 8601 | When the event occurred, in UTC |
tenant_id | UUID | The tenant where the event occurred |
user_id | UUID | The user who performed the action (null for system events) |
user_email | String | The user’s email at the time of the event |
action | String | The action performed (e.g., resource.created, auth.login.success) |
resource_type | String | The type of resource affected (e.g., connector, masking_policy) |
resource_id | UUID | The specific resource affected (null for non-resource events) |
resource_name | String | Human-readable name of the affected resource |
details | JSON | Action-specific details (changed fields, configuration values, etc.) |
result | String | success or failure |
source_ip | String | The IP address the request originated from |
Viewing audit logs
Navigate to Governance > Audit Log to view your tenant’s audit logs.
Filtering
The audit log viewer supports filtering by:
- User — select one or more users to see only their actions
- Action — filter by action type (e.g., all authentication events, all resource changes)
- Resource type — filter to a specific resource type (e.g., only connector events)
- Date range — select a start and end date
- Result — filter by success or failure
Filters can be combined. For example, you can view all failed authentication events from a specific user in the last 7 days.
Search
Full-text search is available across all log fields. You can search for:
- A user’s email address
- A resource name (e.g., the name of a specific connector)
- An IP address
- Any text that appears in the details field
Search results are sorted by timestamp (most recent first) and highlighted to show where the search term matched.
Log detail view
Selecting a log entry opens the detail view, which shows all fields including the full details JSON object. For resource change events, the detail view shows a before/after diff of the changed fields.
Export
Audit logs can be exported for archival, compliance, or analysis:
- Navigate to Governance > Audit Log
- Apply any desired filters (the export includes only filtered results)
- Select Export
- Choose the format:
- CSV — one row per log entry, suitable for spreadsheets and data analysis tools
- JSON — one JSON object per line (JSON Lines format), suitable for log aggregation systems and programmatic processing
- Select Download
Exports include all fields described in the log format section. The details field is serialised as a JSON string in CSV exports.
For large exports (more than 100,000 entries), the export runs asynchronously and a download link is emailed to you when it completes.
Retention
Audit log retention depends on your Rime tier:
| Tier | Retention period |
|---|---|
| Free/Trial | 7 days |
| Small Business | 30 days |
| Business | 90 days |
| Business Critical | 1 year |
Logs older than the retention period are permanently deleted and cannot be recovered. If you require longer retention, set up a scheduled export to your own storage. See Compliance Reporting for scheduled report options.
The retention period applies to Rime’s own audit logs. Snowflake’s access history (used in the compliance reporting audit summary) has its own retention policy determined by your Snowflake edition.
Integration with compliance reporting
Audit log data feeds into the Compliance Reporting audit summary report, which combines Rime audit events with Snowflake access history into a unified view. The compliance report adds anomaly detection and trend analysis on top of the raw audit log.
Best practices
- Review regularly — check the audit log at least weekly for unexpected activity, particularly failed authentication attempts and changes to masking policies or role visibility
- Export before tier downgrade — if you are considering downgrading your tier, export your audit logs first. The shorter retention period of the lower tier will purge older logs
- Export before tenant deletion — tenant deletion drops the entire database, including all audit logs. Export any logs required for compliance before initiating deletion
- Use filters for incident investigation — when investigating a security event, start by filtering to the relevant user and time range, then expand the search as needed
Next steps
- Review Compliance Reporting for aggregated audit analysis
- Set up Authentication to ensure all users are properly identified in logs
- Understand Tenant Isolation to see how audit logs are isolated per tenant
- Check Compliance for regulatory audit requirements