Cadres Manual | Audit & Webhooks

Prerequisites

audit_logs.view for viewing the audit trail
audit_logs.export for CSV export of audit logs
session_recordings.view for viewing terminal/desktop sessions and recordings
monitoring.view for viewing webhook subscriptions and deliveries
monitoring.manage for creating/modifying webhooks and triggering tests
Notification endpoints require only authentication (no specific permission)

Understanding Audit Logs

Every mutation in SPOG is recorded as an audit log entry. The system uses a hash chain for tamper detection — each log entry's SHA256 hash includes the previous entry's hash, creating a blockchain-style integrity chain.

What Gets Logged

All API mutations across every router: host create/delete, script executions, credential changes, policy updates, user modifications, agent registrations, workflow actions, and more. Each entry captures:

ActionWhat happened (e.g., host deleted, script executed, identity created).

Actor TypeWho did it: User, System, Agent, or Workflow.

Resource TypeWhat was affected (e.g., host, script, identity).

Resource IDID of the affected resource.

Before StateSnapshot of the resource before the change (for mutations).

After StateSnapshot of the resource after the change.

User IPClient IP address.

HashSHA256 hash linking to the previous entry for integrity verification.

Actor Types

Actor Type	Description	Source
User	A named user performing an action	Web UI or API actions
System	An automated system process	Scheduler, automated tasks
Agent	A managed endpoint agent	Agent heartbeats, job results
Workflow	A workflow automation step	Workflow automation steps

Viewing Audit Logs

Search and Filter

Navigate to Audit Logs from the sidebar. Use the following filters to narrow results:

ActionFilter by action type (e.g., host deleted, script executed).

Resource TypeFilter by resource type (e.g., host, script, identity).

Actor TypeFilter by who performed the action (User, System, Agent, Workflow).

OrganizationFilter to a specific organization.

Time Window1 to 365 days. Default 7.

PaginationUse skip and limit controls to page through results.

Results include the user email and resource name for readability.

Recent Activity

The Recent Activity view shows the last 10 entries (up to 50). Useful for dashboard widgets.

Audit Detail

Click on any audit log entry to view the full detail, including before and after snapshots of the changed resource. Entries are tenant-isolated — you can only view entries within your own account.

Audit Statistics & Export

Statistics

Navigate to Audit Logs > Statistics to view a summary for a configurable time window (default: 7 days):

Total EventsTotal audit events in the time period.

By ActionEvent counts grouped by action type.

By ResourceEvent counts grouped by resource type.

CSV Export

Click Export on the audit log page to download a CSV file. Requires audit_logs.export permission. Supports the same filters as the list view.

Integrity Verification

Navigate to Audit Logs > Integrity to verify the hash chain. The verification walks the entire chain and reports any broken links. A broken link indicates potential tampering or data corruption.

Hash chain is best-effort under concurrency. Concurrent log creation can cause hash chain gaps. This is expected under high load and does not necessarily indicate tampering.

Session Recordings

All terminal and desktop sessions are automatically recorded for compliance and forensic review.

Terminal Sessions

Navigate to Terminal > Sessions to view active terminal sessions (filtered by host access).
Each session shows: session ID, host, hostname, user email, start time, and shell type.

Terminal Recordings

Navigate to Terminal > Recordings. Optionally filter by host or user.
Each recording shows: duration, bytes in/out, user email, and start/end times.
Click a recording to view the full playback with events in asciicast v2 format.
Click Download .cast to export a file compatible with asciinema play.

Desktop Recordings

Navigate to Desktop > Recordings to view desktop session recordings.
Each recording shows: frame count, total bytes, duration, and file path.
Click Playback to stream the recording in real time via the browser.

Asciicast v2 format. Terminal recordings use the standard asciicast v2 format: a JSON header line followed by event arrays [elapsed_seconds, "o"/"i", data]. Compatible with the asciinema player for browser playback.

Configuring Webhooks

Webhook subscriptions push event notifications to external HTTPS endpoints when things happen in SPOG.

Create a Subscription

Navigate to Webhooks from the sidebar.
Review the available event types on the Event Types tab.
Click Create Webhook and fill in the fields below.

OrganizationWhich organization's events to subscribe to.

NameMust be unique within the organization.

URLHTTPS endpoint to receive events.

SecretOptional HMAC-SHA256 signing secret. Used to generate a signature header for payload verification.

HeadersOptional extra HTTP headers (e.g., Authorization bearer tokens).

Event TypesSelect which event types to receive. Leave empty to receive all events.

ActiveEnable or disable the subscription.

Test a Webhook

Open the webhook detail page and click Test.
A test ping event is sent to the endpoint synchronously.
The result (success/failure, status code, and response body) is displayed immediately.
Test deliveries are not recorded in the delivery history.

Manage Subscriptions

Click Edit on a webhook to update its name, URL, secret, headers, event types, or active status.
Click Delete to remove the subscription and all its delivery history.

Webhook Event Types

Event Type	Description
`alert.fired`	Alert rule triggered.
`alert.resolved`	Alert condition cleared.
`alert.acknowledged`	Alert acknowledged by a user.
`job.completed`	Job finished successfully.
`job.failed`	Job execution failed.
`host.online`	Host came online (agent heartbeat resumed).
`host.offline`	Host went offline (heartbeat missed).
`deployment.started`	Deployment initiated.
`deployment.completed`	Deployment finished successfully.
`deployment.failed`	Deployment failed.
`deployment.cancelled`	Deployment cancelled.
`compliance.scan_completed`	Compliance scan finished.
`drift.detected`	Configuration drift detected against baseline.

Webhook Delivery & Retry Logic

Payload Format

{
  "event_type": "alert.fired",
  "timestamp": "2026-02-23T12:00:00.000000Z",
  "source": "spog-rmm",
  "organization_id": 1,
  "account_id": 1,
  "data": { ... event-specific data ... }
}

Headers included with every delivery:

Content-Type: application/json
X-Webhook-Event: {event_type}
X-Webhook-Signature: sha256={hmac_hex} (only if secret is configured)

Delivery State Machine

pending --> delivering --> delivered
                          \--> retrying --> delivering (next retry)
                                       \--> failed (max attempts exceeded)
                          \--> failed (subscription disabled/deleted)
failed --> retrying (manual retry via POST /retry)

Retry Schedule

Attempt	Delay	Cumulative
1	Immediate	0 min
2	1 min	1 min
3	5 min	6 min
4	15 min	21 min
5	60 min	81 min
6 (max)	240 min	321 min

After 5 failed attempts, the delivery is permanently marked as failed. Successful deliveries that are not claimed within 30 days are cleaned up by the scheduler.

Monitoring Deliveries

Navigate to the webhook detail page > Deliveries tab to view delivery history. Filter by status and event type.
Each delivery shows: attempt count, response status code, error message, and timestamps.
Click Retry on a failed delivery to manually re-attempt it (resets the attempt count).

Notification System

In-app notifications provide real-time alerts to users via the web UI. They are persisted in the database and pushed over WebSocket for instant delivery.

Viewing Notifications

Click the notification bell icon in the top bar to view your notifications.
Filter by read/unread status and category (job, deployment, alert, security, system).
Broadcast notifications (not targeted to a specific user) also appear in your feed.

Managing Read Status

Click a notification to mark it as read.
Click Mark All Read to clear all unread notifications.
The unread count badge on the bell icon updates in real time.

Real-Time Delivery

Notifications are pushed to the browser in real time via WebSocket.
New notifications appear immediately without page refresh.
Dashboard updates are also pushed in real time when relevant data changes.
A keepalive ping runs every 30 seconds to maintain the connection.

Multi-instance delivery. When running multiple backend instances, notifications are propagated via PostgreSQL LISTEN/NOTIFY so that WebSocket connections on any instance receive events.

Notification Channels (External Delivery)

Notification channels deliver alert and remediation notifications to external systems. They are separate from the in-app notification system described above and from the webhook event subscriptions described earlier. Alert rules and event alert rules reference notification channels by ID to route notifications externally when alerts fire.

Channel types

Type	Delivery method	Required config
Email	SMTP	SMTP Host, From Address, To Addresses (list). Optional: SMTP Port (default 587), SMTP Username, SMTP Password, Use TLS (default: enabled).
Webhook	HTTP POST with JSON payload	URL (HTTPS required). Optional: Secret (for HMAC-SHA256 signature verification), Headers (extra HTTP headers).
Slack	Slack incoming webhook	Webhook URL. Optional: Channel (override default channel).
Teams	Microsoft Teams webhook connector	Webhook URL.

Creating a channel

Navigate to Notification Channels and click Create Channel.
Enter a name, select the channel type, select the organization, and fill in the type-specific configuration fields from the table above.
Channel names must be unique within an organization.
URL fields must use HTTP or HTTPS schemes.

Testing a channel

Open the channel detail page and click Test.
A test notification is sent synchronously and the result (success/failure) is displayed immediately.

Linking channels to alert rules

Both metric alert rules and event alert rules can reference notification channels. When an alert fires, the system delivers notifications to all linked channels in addition to the in-app notification. Alert rules also support:

Re-notification Interval (minutes)Re-send notifications if the alert remains active after this many minutes.

Escalation ThresholdWhen the occurrence count reaches this value, send a one-time escalation to the designated escalation channels.

Escalation ChannelsThe channels that receive escalation notifications when the threshold is reached.

Delivery format

Slack messages use color-coded attachments (red for critical, orange for high, yellow for medium, green for low, blue for info). Teams messages use MessageCard format with matching theme colors. Webhook payloads include subject, message, severity, and source fields.

Permissions Reference

Permission	Grants
audit_logs.view	List, search, view audit logs. View recent activity and statistics. Verify integrity.
audit_logs.export	Export audit logs as CSV.
session_recordings.view	List/get terminal sessions, terminal recordings, desktop recordings.
monitoring.view	List webhook subscriptions, deliveries, event types, and notification channels.
monitoring.manage	Create/update/delete webhooks and notification channels. Test endpoints. Retry failed deliveries.
(none required)	List, read, and mark in-app notifications. Only requires authentication.

Troubleshooting

Symptom	Cause	Fix
Audit log shows no entries	Time filter too narrow or wrong organization	Increase the time window. Remove the organization filter to see account-wide logs.
Missing resource names in audit	Resource was deleted after the log was created	Check the metadata field on the audit entry for fallback information.
Terminal recording has no events	Session ended immediately or recording failed	Check session duration. Very short sessions may have no recorded I/O.
Webhook test returns 404	Endpoint URL wrong or unreachable	Verify URL is accessible from the backend server.
Webhook stuck in "pending"	Scheduler not running or backed up	Check the system health page for webhook delivery loop status.
Webhook delivery keeps failing	Endpoint returns 4xx/5xx	Check the response status and response body in the delivery record for details.
Notifications not appearing in real-time	WebSocket disconnected	Check browser console for WebSocket connection errors. Verify JWT is valid.
Notifications missing for IDP users	User identity mismatch	Contact your platform administrator to verify the notification targets both legacy and IDP user identities.
Audit hash chain shows broken links	Concurrent log creation under load	Expected under high concurrency. Hash chain is best-effort integrity.
Old webhook deliveries consuming space	Cleanup scheduler not running	Verify the system health page shows the delivery cleanup job is running (30-day retention).
Duplicate webhook name error (409)	Name already exists in org	Choose a unique name within the organization.
Notification channel test fails	Config fields incorrect or endpoint unreachable	Verify config fields match the channel type requirements (see table above). For email: check SMTP host/port. For Slack/Teams: verify webhook URL is active.
Alert fires but no external notification sent	No channels linked to the alert rule	Edit the alert rule and add notification channels.
Channel create returns 422	URL uses non-HTTP scheme	Only HTTP and HTTPS URLs are accepted. Other URL schemes are blocked for security.