Skip to main content

Logs

The Logs page is the Phase 1 SIEM-lite search surface. It shows normalized log events from tenant-scoped log sources and keeps raw payload access out of the operator console.

What Operators Can See

  • Registered log sources for the current tenant.
  • Normalized events with timestamp, severity, source, asset, category, and bounded message summary.
  • Structured normalized fields for a selected event.
  • Correlation IDs that link SIEM detections to generic alerts, tickets, evidence, and audit trails.

Boundaries

Search is intentionally simple: time range, severity, asset, source, category, free text, limit, and offset. There is no custom SIEM query language, raw log export, ML anomaly detection, or full correlation engine in Phase 1.

Auditors may read normalized log search/detail data when their role allows it. Auditor reads apply server-side redaction to message summaries and structured fields before the response leaves the API. Operators and tenant admins can register sources and ingest logs; auditors cannot ingest.