Managed Audit Logs in Tesseral

Audit logs are a common feature in B2B SaaS products. They allow your customer’s security team to track what employees are doing in your product. When you use Tesseral, most of the work of having audit logs support is done for you.

An example of what your customers would see in the pre-built UI for audit logs.

What are managed audit logs?

B2B SaaS buyers often expect audit logs from their vendors. These audit logs are typically consumed by your customer’s security team, and it allows them to monitor employee activity and SaaS product usage.

With Tesseral, most of the work for audit logs is done for you. Tesseral’s managed audit logs are audit logs that your customers can use to see what’s going on in their Organization in your product.

Tesseral handles automatically collecting audit logs for activity like logins, logouts, inviting other users, modifying login settings, and more. These auto-collected events cover the bulk of the generic security-related activity that B2B SaaS buyers expect from their vendors. You do not need to write any code for these authentication-related events.

You can publish your own audit log events on top of the Tesseral-produced events.

Tesseral provides a user interface your customers can use to view, search, and export their audit logs. This functionality appears in the Self-Serve Organization Settings. You do not need to write any code to give your customers a UI for managing audit logs.

Publishing custom audit log events

Tesseral’s managed audit log events automatically collect many security-related events on your behalf. You can augment these events with additional events that are specific to your product.

To publish a custom audit log event, you’ll use the Tesseral Backend API’s CreateAuditLogEvent endpoint.

Next.js

Express.js

Flask

FastAPI

Go

These instructions assume you’ve already set up Tesseral for Next.js.

First, construct a Tesseral Backend API client:

1 import { TesseralClient } from "@tesseral/tesseral-node";
2 
3 const tesseralClient = new TesseralClient();

Then, anywhere in your code where you need to create an audit log event, call auditLogEvents.createAuditLogEvent():

1 // actions.ts
2 import { auth } from "@tesseral/tesseral-nextjs/serverside";
3 
4 export async function POST(request: Request) {
5   const { credentials } = await auth({ or: "throw" });
6 
7   // ...
8 
9   tesseralClient.auditLogEvents.createAuditLogEvent({
10     auditLogEvent: {
11       credentials: credentials,
12       eventName: "acme.expense_reports.approve",
13       eventDetails: {
14         "expenseReportId": "expense_report_123",
15       }
16     }
17   })
18 
19   // ...
20 }

When you pass along the current credentials, Tesseral will automatically know which User or (if enabled) API Key performed the action you’re audit logging.

Audit logs are only supported from server-side code.

Auto-collected audit logs

Tesseral’s managed audit logs automatically collect many security-related events on your behalf. You can also publish your own audit log events on top of the set of auto-collected events.

The following table lists the auto-collected audit log events that Tesseral produces.

Event Name	Description	Fields
`tesseral.api_keys.create`	When a managed API Key is created.	`apiKey`
`tesseral.api_keys.delete`	When a managed API Key is deleted.	`apiKey`
`tesseral.api_keys.revoke`	When a managed API Key is revoked.	`apiKey`, `previousApiKey`
`tesseral.api_keys.update`	When a managed API Key is updated.	`apiKey`, `previousApiKey`
`tesseral.api_keys.assign_role`	When a Role is assigned to a managed API Key.	`apiKeyRoleAssignment`
`tesseral.api_keys.unassign_role`	When a Role is removed from a managed API Key.	`apiKeyRoleAssignment`
`tesseral.organizations.update_domains`	When an Organization’s associated domains are updated.	`domains`, `previousDomains`
`tesseral.scim_api_keys.create`	When a SCIM API Key is created.	`scimApiKey`
`tesseral.scim_api_keys.update`	When a SCIM API Key is updated.	`scimApiKey`, `previousScimApiKey`
`tesseral.scim_api_keys.delete`	When a SCIM API Key is deleted.	`scimApiKey`, `previousScimApiKey`
`tesseral.scim_api_keys.revoke`	When a SCIM API Key is revoked.	`scimApiKey`, `previousScimApiKey`
`tesseral.user_invites.create`	When a User Invite is created.	`userInvite`
`tesseral.user_invites.delete`	When a User Invite is deleted.	`userInvite`
`tesseral.organizations.create`	When a Organization is created.	`organization`
`tesseral.organizations.update`	When an Organization is updated.	`organization`, `previousOrganization`
`tesseral.organizations.delete`	When an Organization is deleted.	`organization`
`tesseral.organizations.update_google_hosted_domains`	When an Organization’s Google hosted domains are updated.	`googleHostedDomains`, `previousGoogleHostedDomains`
`tesseral.organizations.update_microsoft_tenant_ids`	When an Organization’s Microsoft tenant IDs are updated.	`microsoftTenantIds`, `previousMicrosoftTenantIds`
`tesseral.saml_connections.create`	When a SAML connection is created.	`samlConnection`
`tesseral.saml_connections.update`	When a SAML connection is updated.	`samlConnection`, `previousSamlConnection`
`tesseral.saml_connections.delete`	When a SAML connection is deleted.	`samlConnection`
`tesseral.saml_connections.initiate`	When a SAML connection is initiated.	`samlConnection`
`tesseral.oidc_connections.create`	When a OIDC connection is created.	`oidcConnection`
`tesseral.oidc_connections.update`	When a OIDC connection is updated.	`oidcConnection`, `previousOidcConnection`
`tesseral.oidc_connections.delete`	When a OIDC connection is deleted.	`oidcConnection`
`tesseral.oidc_connections.initiate`	When a OIDC connection is initiated.	`oidcConnection`
`tesseral.sessions.create`	When a Session is created.	`session`, `samlConnectionId`, `oidcConnectionId`
`tesseral.sessions.refresh`	When a Session is refreshed.	`session`
`tesseral.users.create`	When a User is created.	`user`
`tesseral.users.update`	When a User is updated.	`user`, `previousUser`
`tesseral.users.delete`	When a User is deleted.	`user`
`tesseral.users.assign_role`	When a Role is assigned to a User.	`userRoleAssignment`
`tesseral.users.unassign_role`	When a Role is removed from a User.	`userRoleAssignment`
`tesseral.roles.create`	When a Role is created.	`role`
`tesseral.roles.update`	When a Role is updated.	`role`, `previousRole`
`tesseral.roles.delete`	When a Role is deleted.	`role`
`tesseral.passkeys.create`	When a Passkey is created.	`passkey`
`tesseral.passkeys.update`	When a Passkey is updated.	`passkey`, `previousPasskey`
`tesseral.passkeys.delete`	When a Passkey is deleted.	`passkey`