Audit & monitoring

Admin guide

The dashboard surfaces two streams: the audit log (what happened) and runtime telemetry (how apps are doing). The concept page is Observability & audit; the evidence story for security reviewers is Audit & evidence. This page covers the IT-admin workflow.

The audit log

Open Admin → Audit for the org-wide view. The default filter is “last 24 hours, all categories.” Filters by category, actor, target, and time range are typed fields in the filter bar.

Useful day-to-day filters:

• Overrides this week — every time someone overrode the policy check. Pair with the reason text to spot policies that are routinely bypassed.
• Agent actions per user — who’s working with their agent the most and what they’re doing.
• Integration grants and revokes — the source of truth for “who got access to what.”
• Kill/restore events — every incident-style action.

Saved filters give you and the team a consistent view to check at standup or during reviews.

Runtime logs

Each app’s detail page has a Logs tab showing live stdout/stderr from the app’s pods. Logs are scoped per app, per environment. Search and time-range filtering are inline.

The dashboard isn’t intended to replace a full log aggregator. Customers who want long-term log analytics ship the cluster’s logs to their own aggregator using the cloud’s native log shipping (Azure Monitor, CloudWatch, etc.) — Greenlight doesn’t sit in that path.

Metrics

The dashboard surfaces these per-app metrics out of the box, with no app-side instrumentation required:

• Request rate, p50/p95/p99 latency, error rate.
• Container CPU and memory.
• Integration call rate, per upstream.
• AI inference call rate, per model alias.
• Build and deploy frequency.

The org-level health view aggregates these into a single sparkline per metric.

Alerts

Alerts are configurable per metric, per app, with thresholds and per-channel delivery (email, Slack, PagerDuty). The dashboard’s Alerts page lists every active rule and recent firings; resolved alerts retain their history for review.

For deeper alerting that includes business-level signals from inside the app’s code, the cluster’s native alerting (Azure Monitor alerts, etc.) can be wired up against the metrics Greenlight exposes.

SIEM integration

The audit log can be exported to a SIEM via an HTTPS webhook with HMAC signing. The receiver gets one structured event per audit record; replay is supported via a cursor. Splunk, Datadog, Sumo Logic, and homegrown audit pipelines all consume it.

Configure the webhook from Admin → Audit → Exports. The webhook is org-scoped; one endpoint receives every event.

Tip

If your incident-response runbook starts with “open the audit log”, configure a SIEM webhook and a Slack notifier in the same session. The two together cover review, ad-hoc query, and real-time monitoring with no app-side changes.

Next

Audit & evidence The audit log from a security-review angle.

Observability & audit The concept page covering what's recorded and how.

Kill switch & restore The actions that generate the highest-signal audit events.