The 3CX Audit Log: One Searchable Trail of Every Change to Every Customer PBX

TL;DR

Every portal change to a customer PBX is recorded: Extensions, parameters, settings, updates, maintenance, trunks, queues, prompts, status pages, licenses, instance lifecycle — when an operator does it through Sikurd, a row is written with the event type, a description, the timestamp, and structured metadata.
Attributed to a person — or honestly marked “System”: Each change carries the acting user as “Name <email>.” Automated actions (an alert auto-resolving, a service auto-restarting) are attributed to a “System” actor, so automation is never mistaken for a human.
One searchable trail, restricted to admins: Owners and Admins get a tenant-wide feed across every instance; Super Admins get a master, cross-tenant view with filters. It’s append-only in practice (no edit/delete path) — but it’s a standard DB log, distinct from the cryptographically tamper-evident restore certificates.

Why a change log is non-negotiable for an MSP

A single Sikurd account can reach into dozens of customer phone systems and change them. That reach is the point of a fleet tool — but it raises a question every MSP eventually has to answer, usually under pressure: "A client's call routing broke at 2 p.m. Who touched it, and what did they change?"If the honest answer is "we're not sure," you don't have a management platform; you have a shared root password with a nicer UI.

Accountability is also a trust story you tell outward. When a customer asks "did someone on your team change our after-hours rule last week?" the difference between "let me check the log" and "let me ask around" is the difference between a vendor who is in control and one who is hoping. Sikurd treats the change history as a first-class record: every operator-initiated change to every customer PBX is captured, attributed, and searchable. This post walks exactly what that means in the product — no more, no less.

What lands in the log

The audit log is wired into the mutating operations across the portal. When a change goes through Sikurd, it writes an event. The catalog is broad and concrete — among the recorded event types:

Extensions & users — added, removed, modified; greetings uploaded.
Configuration — fleet parameter pushes and individual setting changes; trunks, queues, ring groups, digital receptionists, and departments edited or deleted; prompts uploaded, assigned, or deleted.
Updates — update channel changed, an update scheduled, installed, or failed.
Maintenance — maintenance started/ended, windows created/deleted, and purges.
Instance lifecycle — instance created, connected, re-authenticated, address and notification-email changes, status pages created/updated, credentials saved/cleared, license refreshed, and instance deleted.
Alerts & self-healing — alerts acknowledged, muted, resolved, and auto-resolved; whitelisted services auto-restarted.
Account security — password-reset requests and completions, and the second-factor events that pair with SSO & MFA (a failed MFA challenge, a single-use recovery code being spent).

The shape of a single record

Each entry stores the same backbone: the event type, a human-readable description, the timestamp, the tenant (the MSP), and — when the change targets a specific PBX — the instance. The instance's name is snapshotted onto the row at write time, a small but deliberate choice: if that PBX is later removed from your fleet, its history doesn't turn into a wall of orphaned IDs. The entry still reads "Acme HQ ," so the trail of "who decommissioned this site" survives the site going away.

Beyond the backbone, each row carries a structured metadata blob. For a parameter push, that blob records the parameter name, the value it was set to, and — crucially — the previous value, plus whether the entry was newly created or an actual change. That's a literal before-and-after, captured at the moment of the change, not reconstructed after the fact.

Always attributable: a person, or "System"

A log of changes with no names is just a rumor with timestamps. So Sikurd resolves the acting user into a readable label — Jane Doe <jane@msp.com>, falling back to email, then name, then the raw ID so the row always renders something, even for a since-deleted user — and stores it on the entry. The viewer shows "by Jane Doe" under each change.

Just as important is honesty about the changes no human made. Sikurd's monitoring does real work on its own: an alert can auto-resolve on the next polling cycle, and a whitelisted service can be auto-restarted by self-healing. Those events are written with a dedicated "System"actor sentinel, so they render as "by System" rather than being silently pinned on whoever happened to be logged in. When you're reading the log during an incident, you can tell at a glance what your team did versus what the platform did.

One trail, the right people, the right filters

The history is meant to be used, not just stored. Sikurd surfaces it in three places, gated by role:

Per-instance feed. On an instance's page, an Audit Log panel shows that PBX's history with quick filter pills (Extensions, Config, Updates, Maintenance, Alerts, Version) and paged loading. A general Member sees this for the instances they have access to.
Tenant-wide feed. A single feed across every instance in your account, including the orphaned entries from deleted instances. Because it exposes every user's actions across the whole fleet, it's restricted to Owner, Admin, and Super Admin.
Master view (Super Admin). A cross-tenant table, newest first, with tenant, event-type, timeframe (24 hours / 7 / 30 / 90 days / all time), and free-text search over the description, event, and instance name — with pagination.

Two scope notes, stated plainly so there's no over-promise. First, the audit log is an internal tool: it does not appear on the public Customer Status Page, which is built to show clients health, uptime, backups, and incidents — not your team's change history. Second, while most entries are tied to a specific instance, the log is scoped to the tenantfirst; tenant-level actions that aren't tied to one PBX (such as an MFA recovery code being used) are recorded against the tenant with no instance attached. You can pull one customer's history or the whole fleet's from the same place.

Append-only — and what that does and doesn't mean

The portal offers no way to edit or delete an audit entry. There is no "clear history" button, no bulk-delete, no admin override to rewrite a row. Entries are only ever appended. In day-to-day terms, that means the record an operator leaves behind is the record that stays.

We're careful not to oversell this. The audit log is a standard, append-only database log — its integrity rests on the fact that the application never exposes a mutation path, not on a cryptographic proof. That is a real and useful property, but it is a different thing from the verified-backup restore certificates, which are cryptographically hash-based and tamper-evident by design, with a public verification page. If you need a math-grade "this artifact has not been altered" guarantee, that's the restore certificate's job. The audit log's job is different and complementary: a complete, attributed, searchable account of who did what, and when.

How it fits the "prove you're in control" story

The audit log is one leg of a three-legged stool. SSO & MFA control who can ever hold a session and how they prove it's really them. Verified backups prove that what you'd restore actually restores. The audit log closes the loop in the middle: a continuous record of what changed once someone was inside. Together they let you answer the three questions a serious customer — or your own change-management process — will eventually ask: who got in, how did they authenticate, and what did they touch?

For dispute resolution, that trail is the calm answer to a tense question. For change management, it's the difference between policy and proof. And like everything else on Sikurd, it isn't an enterprise add-on or a locked tier — there are no tiers. The audit log is included for every account; you simply pay per instance beyond your first three, which are free forever. Being able to say "here's exactly what we changed, and when" shouldn't be the upsell. It should be the default.

Frequently asked questions

What exactly gets written to the audit log?

Every change an operator makes to a customer PBX through the portal leaves a row: extensions added, removed, or modified; parameters pushed; settings changed; update channels switched, updates scheduled, installed, or failed; maintenance windows and purges; trunk, queue, ring-group, digital-receptionist, department, and prompt changes; status-page and notification edits; license refreshes; and instance lifecycle events (created, connected, re-authenticated, deleted). Each row stores the event type, a human-readable description, the timestamp, the tenant, the instance (with its name snapshotted), and a structured metadata blob — which for a parameter change includes the new value and the previous value, so you get a literal before-and-after.

Is every change attributed to a person?

Yes, when a person made it. Sikurd resolves the acting user into a label like "Jane Doe <jane@msp.com>" and stores it on the row, so the viewer can render "by Jane Doe" without re-querying. Changes that originate from the platform itself — an alert auto-resolving on the next poll, or a whitelisted service auto-restarting — are attributed to a "System" actor instead, so an automated action is never silently mistaken for a human one.

Who can see the audit log?

The tenant-wide trail — every user's actions across every instance you manage — is restricted to Owner, Admin, and Super Admin roles. A general Member sees the per-instance audit log only on the instances they have access to. Super Admins also have a master view that spans tenants with tenant, event-type, timeframe, and free-text filters. The audit log is an internal accountability tool: it does not appear on the public Customer Status Page, which shows health, uptime, backups, and incidents but never the change history.

Can someone edit or delete entries to cover their tracks?

The portal has no edit or delete path for audit rows — entries are only ever appended, never rewritten, so the log is append-only in practice. There is no "clear history" button anywhere in the product. We want to be precise here: this is a standard, append-only database log, not a cryptographically hash-chained ledger. That cryptographic, tamper-evident guarantee is a separate Sikurd feature — the restore certificates we issue for verified backups. The audit log's strength is completeness and attribution, not a math proof of immutability.

Is there a retention policy?

The per-instance PBX change log is retained for the life of the tenant — there is no automatic purge of those rows, and history for a deleted instance is deliberately preserved (the row keeps the instance's name and shows it as deleted). The separate security/privileged-action log — which records sensitive operations like tenant create/delete, owner password resets, and billing changes, along with IP and user-agent — is rotated at roughly 24 months as a data-minimization measure, because those rows contain personal identifiers.

How is the audit log scoped — per customer or per instance?

Every row is tagged with the tenant (the MSP) and, when the action targets a specific PBX, with that instance. Tenant-level actions that aren't tied to one PBX — like an MFA recovery code being used — are recorded against the tenant with no instance. So you can pull the full history for one customer site, or the full history across your whole fleet, from the same log.

The 3CX Audit Log