Skip to main content



Unravel tracks the actions that create, change, and delete resources as audit events to support auditing for security reasons. A set of attributes describes each audit event. For example, the time of the event (in UTC), the action, the subject (who invokes the action), the object affected by the action, and so on. Unravel admins can search and sort events by these attributes and download the results.

List of audit events

Audit events are classified based on the following components of Unravel:


Unravel supports the following audit events for RBAC:

  • Login

  • Logout


Unravel supports the following audit events for Alerts:

  • An AutoAction is created, edited, or deleted.

  • An AutoAction triggers one of the following actions:

    • Email

    • HTTP Post

    • Post to Slack

    • Move application to queue

    • Kill application

    • Custom action


Unravel supports the following audit events for reports:

  • On-demand report generation by a user

  • Scheduled report generation invoked by Unravel

  • Creation, modification, and deletion of a report.


Unravel supports audit events for the services and configuration changes that are done via the Unravel Manager service.

Enabling audit events in Unravel
  1. Stop Unravel.

  2. Set the following properties.

    <Unravel installation directory>/unravel/manager config properties set unravel.audit.enabled <true/false>
    <Unravel installation directory>/unravel/manager config properties set <timeout in seconds>
    <Unravel installation directory>/unravel/manager config properties unravel.audit.dateFormat <YYYY-MM-DDTHH:mm:ss.SSS[Z]>

    Refer to the following table for more details of the properties.

  3. Apply the changes.

    <Unravel installation directory>/unravel/manager config apply
  4. Start Unravel.

    <Unravel installation directory>/unravel/manager start
Accessing audit Events from Unravel UI

Only users with admin roles have access to Audit. They can access Audit in the Unravel UI by navigating to Manager > Audit.

Viewing audit Events

Only users with an admin role can view the audit events from the UI. To view the audit events:

  1. On the Unravel UI, go to Manager > Audit.

  2. Select one of the following time periods from the drop-down on the upper right.

    • Last 1 Hour

    • Last 2 Hours

    • Last 6 Hours

    • Last 12 Hours

    • Today

    • Yesterday

    • Custom Date

    The audit events are displayed. After the results are displayed, you can sort the events by any columns. You can also filter the events based on any of the following:

    • Component: RBAC, Alert, Report, Manage

    • Access Type: NA, Create, Read, Update, Delete

    • Status: NA, Unknown, Success, Failed

    You can also use the Search option to filter out the events based on the search criteria.

    The following columns are displayed for the audit events:




    Date and time when the event occurred.


    The name of the user who has performed the action that led to the event.


    The action, which led to the event being generated.


    The object that is affected by the action. For example: For example, if a report is created, the object is the report ID.


    A component of Unravel with which the event is associated.

    Access Type

    Type of access that the action involves; CREATE, READ, UPDATE, DELETE.


    The role of the user who has performed the action that led to the event.


    The client IP address where the action is initiated.


    The name or IP address of the host on which the action is performed.


    Status of the action; NA, UNKNOWN, SUCCESS, FAILED.

    Cluster Name

    The ID of the cluster where the action occurs.


    The text field adds any extra information unique to that event.

The Search option can be used to filter out the events based on the search criteria.

Downloading the audit events

You can download the audit events in a CSV format. Click downloadcsv.png and save the CSV file.