Audit logs record who did what, when, from where, and with what outcome across your Formbricks instance.

Benefits of audit logging

  • Compliance readiness — Many regulatory frameworks such as GDPR and SOC 2 require immutable records of user activity.
  • Security investigation support — Audit logs provide clear visibility into user and system actions, helping teams respond quickly and confidently during security incidents.
  • Operational accountability — Track changes across the system to answer common questions like “who modified this?” or “when was this deleted?”.

Prerequisites

RequirementNotes
redisUsed internally to guarantee integrity under concurrency.

Enabling audit logging

  1. Set the following environment variables in your deployment (Docker Compose, Kubernetes, etc.):
.env
# --- Audit logging ---
AUDIT_LOG_ENABLED=1
ENCRYPTION_KEY=your_encryption_key_here        # required for integrity hashes and authentication logs
REDIS_URL=redis://`redis`:6379                 # existing `redis` instance
AUDIT_LOG_GET_USER_IP=1                        # set to 1 to include user IP address in audit logs, 0 to omit (default: 0)
  1. Redeploy your containers.
  2. Confirm you can see audit logs in the output of your containers.

Audit logs are printed to stdout as JSON Lines format, making them easily accessible through your container logs or log aggregation systems.

Understanding the log format

Audit logs are JSON Lines (one JSON object per line). A typical entry looks like this:

{"level":"audit","time":1749207302158,"pid":20023,"hostname":"Victors-MacBook-Pro.local","name":"formbricks","actor":{"id":"cm90t4t7l0000vrws5hpo5ta5","type":"api"},"action":"created","target":{"id":"cmbkov4dn0000vrg72i7oznqv","type":"webhook"},"timestamp":"2025-06-06T10:55:02.145Z","organizationId":"cm8zovtbm0001vr3efa4n03ms","status":"success","ipAddress":"unknown","apiUrl":"http://localhost:3000/api/v1/webhooks","changes":{"id":"cmbkov4dn0000vrg72i7oznqv","name":"********","createdAt":"2025-06-06T10:55:02.123Z","updatedAt":"2025-06-06T10:55:02.123Z","url":"https://eoy8o887lmsqmhz.m.pipedream.net","source":"user","environmentId":"cm8zowv0b0009vr3ec56w2qf3","triggers":["responseCreated","responseUpdated","responseFinished"],"surveyIds":[]},"integrityHash":"eefa760bf03572c32d8caf7d5012d305bcea321d08b1929781b8c7e537f22aed","previousHash":"f6bc014e835be5499f2b3a0475ed6ec8b97903085059ff8482b16ab5bfd34062"}

Key fields:

FieldDescription
levelLog level, always "audit" for audit events
timeUnix timestamp in milliseconds
pidProcess ID of the logging instance
hostnameHostname of the server generating the log
nameApplication name, typically "formbricks"
timestampISO‑8601 time of the action
actorUser or API key responsible (object with id and type)
actionConstant verb‑noun string (survey.updated, login.failed, …)
targetThe resource affected (object with id and type)
statussuccess or failure
organizationIdOrganization identifier where the action occurred
ipAddressUser IP address, present only if AUDIT_LOG_GET_USER_IP=1, otherwise "unknown"
apiUrl(Optional) API endpoint URL if the logs was generated through an API call
eventId(Optional) Available on error logs. You can use it to refer to the system log with this eventId for more details on the error
changes(Optional) Only the fields that actually changed (sensitive values redacted)
integrityHashSHA‑256 hash chaining the entry to the previous one
previousHashSHA‑256 hash of the previous audit log entry for chain integrity
chainStart(Optional) Boolean indicating if this is the start of a new audit chain

Additional details

  • Redacted secrets: Sensitive fields (e‑mails, access tokens, passwords…) are replaced with "********" before being written.
  • Failure events count: Both successful and failed operations are logged.
  • Single source of truth: The same logs power the Formbricks UI and API endpoints.
  • Scope limitation: For now, only events triggered inside the Formbricks application are audited. This means:
    • Embed and Link Surveys are not included in the audit logs.
    • Survey responses created via the client API or client-side SDKs are not audited.