Audit Logs Exports

Requesting Access

To request access to Auth Audit Log exports for your integration, please contact customer support with the following information:

Client ID
Preferred destination (S3, etc.)
Desired export frequency

Export Destinations

Exports can be delivered to the following destinations:

Amazon S3

Direct delivery to your S3 bucket
Requires: bucket name, region, and appropriate IAM permissions
Primary destination for all exports
See S3 Destination

Other Destinations

Additional destinations may be available in future releases. Contact customer support to discuss your specific requirements or request new destination types.

Export Types

Full vs Differential Exports

Differential Exports: Each export contains only records that have been created since the last successful export. The system uses a checkpoint mechanism to track the last export timestamp per client and only includes records with created_at > last_checkpoint.

Full Exports: Full historical exports are available upon request. Contact customer support if you require a complete snapshot of all Auth Audit Log data regardless of creation date.

Scope

The Auth Audit Log export includes events from the following systems only:

fanscore-auth — core authentication events (login, password reset, account suspension, etc.)
social-logins — social login provider events

Export Scheduling

Exports can be configured to run at the following intervals:

Hourly: Every hour at a specified minute
Daily: Once per day at a specified time (UTC)
Weekly: Once per week on a specified day and time (UTC)
Custom: Contact customer support for custom scheduling requirements. We use Cron for scheduling: https://crontab.guru/

Data Formats

All Auth Audit Log exports are delivered as CSV files.

Export Samples

Auth Audit Log Export

The Auth Audit Log export contains authentication events such as logins, password resets, and account suspensions, including geolocation and user agent metadata.

Sample Export:

id	parent_id	system	actor_id	actor_client_id	actor_metadata	type	name	description	metadata	ip	created_at
a1b2c3d4-5678-90ab-cdef-1234567890ab		fanscore-auth	50123	ACME	{}	login	Successful Login	User successfully logged in	{"ip": "203.0.113.10", "city": "London", "country": "GB", "grantType": "password", "userAgent": "Mozilla/5.0 ..."}	203.0.113.10	2025-04-22 10:08:22
b2c3d4e5-6789-01bc-def0-2345678901bc		fanscore-auth	60234	ACME	{}	reset-password-link-request	Password Request Link Generated	Password reset link generated by administration	{"ip": "198.51.100.25", "city": "Manchester", "country": "GB", "userAgent": "Mozilla/5.0 ..."}	198.51.100.25	2025-06-26 16:12:16
c3d4e5f6-7890-12cd-ef01-3456789012cd		fanscore-auth	60234	ACME	{}	set-password-request	Password Updated	Account password successfully updated	{"ip": "198.51.100.25", "city": "Manchester", "country": "GB", "userAgent": "Mozilla/5.0 ..."}	198.51.100.25	2025-06-26 16:15:42
d4e5f6a7-8901-23de-f012-4567890123de	f5e6d7c8-9012-34ef-0123-567890abcdef	fanscore-auth	70345	ACME	{}	account-blacklisted	Account Suspended	Account suspended for the following reason: Policy violation	{"ip": "192.0.2.50", "city": "Dublin", "country": "IE", "type": "suspended", "reason": "Policy violation", "userAgent": "Mozilla/5.0 ..."}	192.0.2.50	2025-05-13 09:05:58
e5f6a7b8-9012-34ef-0123-5678901234ef	f5e6d7c8-9012-34ef-0123-567890abcdef	fanscore-auth	70345	ACME	{}	blacklist-removed	Account Suspension Removed		{"ip": "192.0.2.50", "city": "Dublin", "country": "IE", "userAgent": "Mozilla/5.0 ..."}	192.0.2.50	2025-05-14 08:24:26

Column Reference

Column	Type	Description
`id`	UUID	Unique log entry identifier
`parent_id`	Text	Parent event ID for correlated events (e.g. admin action and its effect)
`system`	Text	Source system (`fanscore-auth` or `social-logins`)
`actor_id`	Text	User ID that performed the action
`actor_client_id`	Text	Client ID of the actor
`actor_metadata`	JSON	Additional actor context (e.g. `{"targetAuthId": 12345}` for admin actions)
`type`	Text	Event type identifier
`name`	Text	Human-readable event name
`description`	Text	Detailed event description
`metadata`	JSON	Full event metadata including IP, geolocation, and user agent
`ip`	Text	IP address extracted from metadata
`created_at`	Timestamp	When the event occurred (UTC)
`severity`	Integer	Event severity level for SIEM, currently unused

Best Practices

Differential Processing: Exports are differential by default. Design your integration to process incremental updates and maintain a local copy of the full dataset
First Export: The first export will contain all historical records. Subsequent exports will only include changes
Data Processing: Always validate the JSON structure of metadata and actor_metadata before processing exports
Error Handling: Implement retry logic for failed export retrievals
Monitoring: Set up alerts for missing or delayed exports
Date Handling: All timestamps are in UTC; convert to your local timezone as needed
Parent Events: Use parent_id to correlate admin actions with their effects (e.g. an add-user-to-blacklist event and its corresponding account-blacklisted event)
Null Handling: Be prepared to handle empty values in optional fields like parent_id, description, and actor_metadata

Troubleshooting

Export Not Received

Verify your destination credentials are current
Check that your destination has sufficient storage space
Review any firewall or security rules that might block the delivery

Missing Historical Data

Exports are differential by default — you'll only receive changes since the last export
To receive all historical data, contact support to reset your export checkpoint

Data Discrepancies

Ensure you're processing the most recent export file
Verify timezone handling for date fields
Contact customer support if data appears incorrect

Empty Exports

Empty exports are normal when no authentication events have occurred since the last export
This indicates stable data with no new auth activity for the export period