What the audit log contains
Each audit log entry records the following fields:- Timestamp — exact date and time of the event (UTC)
- Event type — for example,
request.blocked,ip.blocklisted,rule.created,user.login - Source IP — the IP address involved in the event
- Target — the resource or endpoint affected
- Action taken — what Recon44 did (blocked, flagged, allowed, modified)
- Actor — the dashboard user who triggered the event, for configuration changes
- Hash — the SHA-256 hash of this entry chained to the previous entry
What “hash-chained” means for compliance
Each log entry includes the cryptographic hash of the entry before it. This creates a chain: if any record is deleted or modified after the fact, the hashes no longer match and tampering is immediately detectable.Auditors familiar with blockchain-style evidence chains will recognize this pattern. You can present the chain integrity as evidence that log records have not been altered since they were written.
Retention by plan
Free
7-day log retention. Audit log export is not available.
Pro
30-day log retention. Audit log export is not available.
Business
90-day log retention with full audit log export for SOC2 and ISO 27001 compliance.
Scale and Enterprise
Unlimited log retention. Audit log export included. Suitable for multi-year audit windows.
If you are mid-audit and realize your current plan does not cover the required retention window, upgrading your plan does not recover logs from before the upgrade. Plan ahead and upgrade before your audit window begins.
Export audit logs
Open the Audit Log page
In the dashboard, go to Compliance → Audit Logs from the left sidebar. You will see a filterable table of all recorded events within your plan’s retention window.
Set your date range
Use the Date range picker to select the period your audit covers. For SOC2 Type II audits, this is typically a 6- or 12-month window. For ISO 27001 surveillance audits, match the period specified by your certification body.
Apply filters (optional)
Narrow the export to specific event types using the Event type filter. For example, select only
request.blocked and ip.blocklisted events if your auditor only needs WAF evidence. Leave filters clear to export all event types.Choose an export format
Click Export and choose a format from the dropdown:
- JSON — machine-readable, includes full hash chain, recommended for auditors who will verify integrity programmatically
- CSV — spreadsheet-compatible, suitable for manual review and attaching to audit reports
- PDF — formatted report, suitable for directly attaching to audit evidence packages
Download the file
Click Download. The file is generated and downloaded immediately. Large exports (over 100,000 events) are prepared asynchronously and you will receive an email with a download link within a few minutes.
Using logs as audit evidence
SOC2 Type II
SOC2 Type II
SOC2 Type II audits assess whether your security controls operated effectively over a defined period. Recon44 audit logs provide direct evidence for:
- CC6.6 — logical access controls (IP blocking rules, login events)
- CC6.8 — controls over malicious software and attacks (WAF block events)
- CC7.2 — monitoring system components for anomalies (all event types)
- CC7.3 — evaluating security events and disclosing information to affected parties
ISO 27001
ISO 27001
ISO 27001 audits map to Annex A controls. Recon44 logs provide evidence for:
- A.12.4.1 — event logging (complete event log with timestamps)
- A.12.4.2 — protection of log information (hash-chained tamper evidence)
- A.12.4.3 — administrator and operator logs (configuration change events)
- A.13.1.1 — network controls (WAF and IP blocking events)
Internal security reviews
Internal security reviews
For internal reviews, use the CSV export to build reports in Excel or Google Sheets. Filter by event type to produce summaries such as “total blocked requests by month” or “IP addresses blocked most frequently.”