Observability & Compliance

One audit trail.
Everything. Everywhere.

Login events, app access, service access (eBPF), AuthFI Connect, network activity — all in one timeline. One dashboard for security. One export for auditors. No log aggregation required.

Unified timeline — every layer, one view

Follow a user across every layer of your stack. Login to app to service to cloud to network — all in one chronological feed. Color-coded by layer. Every decision logged.

Alice Chen

2026-03-26

LOGIN APP SERVICE CLOUD NETWORK

10:30:01

LOGIN

Email/password + TOTP MFA ✓

IP: 10.0.1.50 UA: Chrome/macOS

10:30:05

APP

require("read:patients") granted ✓

Hospital App session: sess_abc

10:30:05

SERVICE

patient-api:8080 GET /api/patients/123 ✓

eBPF 45us role: doctor

10:30:06

SERVICE

imaging-api:8081 GET /api/images/xr-456 ✓

eBPF 38us role: doctor

10:30:06

CLOUD

GCP imaging-prod objectViewer token issued ✓

duration: 1h MFA: verified

10:30:07

NETWORK

imaging-api -> postgres:5432 allowed ✓

eBPF service-to-service

10:31:00

SERVICE

billing-api:8082 POST /api/invoices DENIED

role "doctor" has no access to billing-api POST

10:31:05

LOGIN

Login failed: bob@acme.com

IP: 45.33.12.8 reason: invalid password (attempt 3/5)

What gets logged

Five log categories, each with structured fields. Every event is queryable by any field. Retention configurable per plan.

Auth logs

Every authentication event — logins, logouts, MFA challenges, password resets, SSO, magic links, brute force detection.

user_emailauth_methodmfa_typeip_addressuser_agentsuccessfailure_reasonsession_id

App access logs

Every OAuth2 authorization — token issuance, consent grants, scope validation, app access decisions.

user_idapp_idscopes_grantedconsent_typetoken_typeexpires_in

Service logs (eBPF)

Every HTTP request decision at the kernel level — allow/deny, user, method, path, latency, policy match.

user_emailmethodpathservicedecisionlatency_uspolicy_idmfa_required

AuthFI Connect logs

Every cloud credential issuance — console signin, API credentials, which role, which account, MFA status.

user_emailprovideraccountroletypedurationmfa_verifiedip_address

Agent audit logs

Infrastructure findings — privileged containers, open ports, root processes, security posture scores per host.

hostfindingseverityresourcestatusposture_score

Real-time streaming

Events stream to the console dashboard in real time via Server-Sent Events (SSE). Watch logins, access decisions, and security events as they happen. No polling. No delay.

Live Event Feed

All layers Last 5 min

now LOGIN diana@acme.com SSO (Okta) + MFA ✓

2s ago SERVICE patient-api GET /api/patients alice@acme.com ✓

5s ago CLOUD bob@acme.com AWS S3ReadOnly credentials issued ✓

8s ago SERVICE billing-api POST /api/invoices eve@acme.com DENIED ✗

12s ago APP charlie@acme.com authorized scope: read:billing Finance App ✓

15s ago LOGIN unknown@external.com login failed (invalid password, attempt 4/5) ✗

SSE endpoint:

GET /v1/acme/events/stream
Authorization: Bearer <admin-jwt>
Accept: text/event-stream

// Optional filters:
?layer=SERVICE,CLOUD
?user=alice@acme.com
?status=deny

// Events arrive as SSE:
data: {"layer":"SERVICE","user":"alice@acme.com",...}
data: {"layer":"CLOUD","user":"bob@acme.com",...}

SIEM export

Export logs to your existing security tools. CSV for spreadsheets and auditors. JSON for programmatic ingestion. Webhook for real-time forwarding to Splunk, Elastic, Datadog.

CSV export

Download filtered logs as CSV. Perfect for auditors, compliance reviews, and spreadsheet analysis.

GET /v1/acme/audit/export
?format=csv
&from=2026-03-01
&to=2026-03-26
&layer=CLOUD

✓ 2,847 events exported

JSON export

Structured JSON with full event details. Pipe into your data warehouse, SIEM, or custom dashboards.

GET /v1/acme/audit/export
?format=json
&user=alice@acme.com
&layer=SERVICE

✓ NDJSON stream

Webhook forwarding

Forward events in real time to Splunk HEC, Elastic, Datadog, or any HTTP endpoint.

Splunk

Elastic

Datadog

Webhook config:
url: https://splunk.acme.com/hec
events: [LOGIN, SERVICE, CLOUD]
format: json

✓ Real-time delivery

Supported destinations

Splunk

Splunk

Elastic

Elasticsearch Datadog

Datadog

Datadog Sumo Logic AWS CloudWatch GCP

GCP

GCP Cloud Logging Azure Monitor Grafana

Grafana

Grafana

Prometheus

Prometheus Any HTTP endpoint

OpenTelemetry export

Export authentication and access events as OpenTelemetry spans. Distributed tracing across your entire stack — from login to service to cloud. Enterprise feature.

What gets traced

✓ Authentication flow (login → MFA → token issued)
✓ OAuth2 authorization (consent → token exchange)
✓ eBPF access decisions (request → policy eval → allow/deny)
✓ Cloud credential issuance (token exchange → STS call)
✓ SCIM provisioning (create/update/delete at target)

Configuration

OTEL config:

endpoint: https://otel.acme.com:4317
protocol: grpc
headers:
  Authorization: Bearer <token>
resource:
  service.name: authfi
  service.version: 1.0

✓ Spans include trace_id, span_id, parent
✓ Correlate with your app's traces

Distributed trace — alice@acme.com views patient record:

trace_id: abc123

  | authfi.login 120ms (email + TOTP MFA)
  | | authfi.authorize 8ms   (scope: read:patients)
  | | | your-app.handler 45ms (GET /patients/123)
  | | | | authfi.ebpf   0.045ms (policy check)
  | | | | authfi.cloud 85ms   (GCP token exchange)
  | | | | | gcs.getObject 120ms (patient image)

// One trace_id across AuthFI + your app + cloud

Enterprise OTEL export is available on Enterprise plans. Contact us to enable.

Built-in analytics dashboards

Pre-built dashboards for security, operations, and compliance. No external tools needed. Real-time data from all layers.

Line chart

Logins over time

Success vs failure. Hourly, daily, weekly. Spike detection for brute force attacks.

Bar chart

Top applications

Most accessed apps by user count and token issuance. Identify unused apps.

Pie chart

Auth methods

Password vs SSO vs magic link vs passkey. Track MFA adoption rate over time.

Table

Denied requests

eBPF denials by service, user, and reason. Identify misconfigured policies.

Heatmap

AuthFI Connect frequency

Which clouds, which roles, how often. Track credential issuance patterns.

Area chart

Active sessions

Concurrent sessions over time. Per-user session count. Anomaly detection.

Dashboard preview

12,847

events today

99.2%

login success rate

23

denied requests

87%

MFA adoption

Logins over time (7d)

MonTueWedThuFriSatSun

Auth methods breakdown

SSO (SAML/OIDC)52%

Email + password28%

Magic link12%

Passkey8%

Compliance — audit-ready from day one

AuthFI's unified audit trail makes compliance evidence easy. Access reviews, login reports, change management audit — all exportable in the format auditors expect.

SOC 2 Type II

Supported

✓ Access control logs
✓ Change management audit
✓ MFA enforcement evidence
✓ User lifecycle events

HIPAA

Supported

✓ PHI access logging
✓ User authentication audit
✓ Access review reports
✓ Minimum necessary access

GDPR

Supported

✓ Consent tracking
✓ Data access logs
✓ Right to erasure evidence
✓ Data processing records

ISO 27001

Supported

✓ Information security events
✓ Access control records
✓ Incident response logs
✓ Risk assessment data

Access review workflow

1

Generate report

All users + their roles + last activity

2

Review access

Manager approves or revokes per user

3

Apply changes

Revoked users lose access immediately

4

Export evidence

CSV/PDF for auditor with timestamps

Related features

AI Security

ML models analyze your audit data for anomalies and threats

AuthFI Agent

eBPF access logs feed directly into the unified timeline

AuthFI Connect

Every cloud session logged — who accessed which cloud, when

Available on Free and above. See pricing →

One platform. Every identity layer.
Free to start.

Free for 5,000 users. Upgrade when you're ready.

Start building free →

Startups and enterprises get 1 year free →