A good Audit log needs to be searchable. Proper indexing on actors, actions, and targets is essential to being able to isolate and drill down into the history of application objects and events.


Generally, actors, event names, IPs are all linked to filter down to related activity. The viewer should allow the account admin to specify a date range to filter in conjunction with other filters and searches.

Search operators

In order to effectively search over the data it is helpful to implement search operators that allow the end user to specify which fields they’d like to match. The Replicated Audit Log Service implements this in the Embedded Viewers.

If you use the advanced search syntax, you can perform very specific and exact searches to find the data you are looking for. The syntax for this is key:value. For example, to search for all events that have an action that starts with user. you could enter the following query: action:user.*

This table shows the supported advanced searches:

Key Description Examples
action Matches events with the action equal to the value. This supports trailing wildcards. action:user.login
crud Matches events with crud type equal to any of the values. crud:c,u,d
received Matches events with the received field in the range. This accepts two comma-separated ISO 8601 datetimes. Either start or end may be omitted to search an unbounded time range. received:2017-05-01,2017-06-01
created Matches events with the created field in the range. created:2017-05-01,2017-05-02 Matches events performed by an actor whose name contains the value. actor:Smith Matches events performed by the actor with the exact id value. actor:b82c4cfa428342ac822c42c1f6b89200
description Matches events with a description containing the terms in the value. description:“elevated escalated”
location Matches events performed in a geographic region equal to the value. description:“Los Angeles”