Retool's audit log is at Settings → Audit Log (Business+ plans). Each entry has actor (who), action (what), resource (which app/query), and timestamp. Filter by user, action type, date range, or app. Download as CSV for compliance. UI shows 3 months of history; downloaded exports include up to 1 year. The audit log is read-only — you cannot modify or delete entries.
| Fact | Value |
|---|---|
| Tool | Retool |
| Difficulty | Beginner |
| Time required | 15-20 min |
| Compatibility | Retool Cloud (Business and Enterprise) |
| Last updated | March 2026 |
What the Retool Audit Log Records and How to Read It
Retool's audit log is the compliance and security record of all significant actions taken in your Retool organization. Every user login, app view, query execution, permission change, and configuration modification generates an audit log entry.
The audit log is essential for: security investigations (who accessed what, when), compliance reporting (SOC 2 evidence, GDPR data access records), troubleshooting unexpected changes (who modified an app or query), and access control audits (which users have which permissions).
This tutorial covers navigating the audit log UI, understanding the log fields, filtering for specific events, and exporting logs for external use.
Prerequisites
- Admin access to your Retool organization
- Retool Business or Enterprise plan (audit log requires Business+)
- A specific event or time range you want to investigate
Step-by-step guide
Navigate to the Retool audit log
Log in to Retool as an admin. Navigate to Settings (gear icon, bottom-left) → Audit Log. The audit log page shows a chronological list of events in your organization with the most recent events at the top. If you see a 'Feature not available on your plan' message, your organization is on the Free or Pro plan. The Retool Cloud URL for audit logs is typically: https://[your-org].retool.com/settings/audit.
Expected result: Audit log page loads showing recent events with actor, action, timestamp, and resource columns.
Understand the audit log entry fields
Each audit log entry contains four key fields: (1) Actor — the user who performed the action (email address). 'System' indicates an automated Retool action. (2) Action — what happened (e.g., 'app_view', 'query_execution', 'permission_granted', 'login_success', 'login_failure', 'resource_created'). (3) Resource — the app, query, resource, or user affected. (4) Timestamp — when the event occurred (UTC). Some entries have additional metadata in a Details column showing parameters or context.
Expected result: You can read and interpret individual audit log entries.
Filter audit log entries by user
Use the Filters panel on the left (or the filter bar at the top) to narrow down events. To find all actions by a specific user, enter their email in the 'Actor' filter. This is useful for: investigating suspicious activity by a specific user, reviewing what a departing employee accessed before offboarding, or confirming a user completed a required training task (if tracked via app views).
Expected result: Audit log filtered to show only events for the specified user.
Filter by action type to investigate specific events
Filter by the 'Action' field to find specific event types. Common action types to filter for: 'login_failure' (failed login attempts — investigate spikes), 'permission_granted' (who got new permissions), 'resource_created' or 'resource_deleted' (database resource changes), 'app_shared' (app sharing events), 'user_invited' or 'user_removed' (team membership changes). Combine multiple action type filters to narrow down investigation.
1// Common action types in Retool audit log:2// Authentication: login_success, login_failure, logout, sso_login3// Apps: app_view, app_created, app_deleted, app_edited, app_shared4// Queries: query_execution, query_created, query_deleted5// Resources: resource_created, resource_updated, resource_deleted6// Permissions: permission_granted, permission_revoked, group_created7// Users: user_invited, user_activated, user_deactivated, user_removed8// Settings: config_changed, api_key_created, api_key_revokedExpected result: Filtered view showing only the specific action types relevant to the investigation.
Set a date range for the investigation
Use the date range picker at the top of the audit log to set a specific time window. For incident investigations, set the range to the suspected incident timeframe (e.g., the 24 hours before a data issue was discovered). For compliance reports, set a monthly or quarterly range. The UI shows up to 3 months of data. For events older than 3 months, use the CSV export which includes up to 1 year of history.
Expected result: Audit log filtered to the specified date range showing only events within that window.
Export audit logs for compliance and external analysis
Click the 'Export' or 'Download CSV' button to download audit log data as a CSV file. The export includes all visible events after your current filters are applied, or the full date range if no filters are active. The CSV contains all log fields: timestamp, actor, action, resource_type, resource_name, ip_address, and details. For SOC 2 Type II compliance, export quarterly and store in your compliance evidence repository.
Expected result: CSV file downloaded containing audit log entries for the selected date range and filters.
Complete working example
1-- This SQL is for analyzing exported audit log CSV data2-- after importing it into your own database or data warehouse3-- (e.g., BigQuery, Redshift, PostgreSQL)45-- Most active users in the last 30 days6SELECT7 actor_email,8 COUNT(*) AS total_events,9 COUNT(DISTINCT DATE(timestamp)) AS active_days,10 COUNT(CASE WHEN action = 'query_execution' THEN 1 END) AS query_executions,11 COUNT(CASE WHEN action = 'login_failure' THEN 1 END) AS failed_logins12FROM retool_audit_log13WHERE timestamp >= NOW() - INTERVAL '30 days'14GROUP BY actor_email15ORDER BY total_events DESC16LIMIT 20;1718-- Failed login attempts (potential brute force)19SELECT20 actor_email,21 COUNT(*) AS failed_attempts,22 MIN(timestamp) AS first_attempt,23 MAX(timestamp) AS last_attempt24FROM retool_audit_log25WHERE action = 'login_failure'26 AND timestamp >= NOW() - INTERVAL '24 hours'27GROUP BY actor_email28HAVING COUNT(*) >= 529ORDER BY failed_attempts DESC;Common mistakes
Why it's a problem: Looking for query-level data (what records were read) in the audit log and finding only metadata
How to avoid: Retool's audit log records query execution events (who ran which query, when) but not the data returned. For data-level audit trails, implement application-level logging in your own database using INSERT into an audit_trail table on every sensitive query.
Why it's a problem: Expecting audit log data older than 3 months to appear in the UI
How to avoid: The Retool audit log UI shows only the last 3 months. For historical data, export to CSV (up to 1 year) or configure Enterprise audit log streaming to an external service for unlimited retention.
Why it's a problem: Not filtering by date range and getting overwhelmed by thousands of log entries
How to avoid: Always start with a date range filter before applying other filters. Narrow to the smallest timeframe that contains the events you're investigating.
Best practices
- Review failed login spikes weekly — multiple login_failure events for one user in a short window may indicate a compromised account
- Audit permission_granted events monthly to ensure principle of least privilege is maintained
- Export and archive audit logs quarterly for compliance — don't rely solely on the 3-month UI retention
- For Enterprise plans, configure audit log streaming to your SIEM (Datadog, Splunk) for automated alerting on suspicious patterns
- When investigating a security incident, start with login events for the suspected timeframe, then trace the actor's subsequent actions
Still stuck?
Copy one of these prompts to get a personalized, step-by-step explanation.
I'm a Retool admin investigating a potential security incident. I need to: (1) find all login failures in the last 48 hours using the audit log filters, (2) trace all actions taken by a specific user (alice@company.com) after their login, (3) identify if any apps were shared externally or permissions changed, (4) export the relevant logs as CSV for our security team. Walk me through the audit log navigation steps and the filter combinations to use.
Navigate Retool Settings → Audit Log. Apply filters: Actor = alice@company.com, Date range = last 48 hours. Then change filter to: Action = login_failure, all actors. Then filter for: Action = permission_granted OR app_shared, date range last 7 days. Export results as CSV. Explain what each action type means and which findings would be concerning from a security perspective.
Frequently asked questions
Can I set up automated alerts based on audit log events in Retool?
The Retool audit log UI does not have built-in alerting. For automated alerts (e.g., email on login_failure spikes), use Enterprise audit log streaming to Datadog or Splunk and configure alerts in those platforms. Alternatively, build a Retool Workflow that queries your audit log data on a schedule and sends notifications via email or Slack.
What is the difference between Retool audit logs and application-level logging?
Retool audit logs record Retool platform events: who logged in, which apps were viewed, which queries were run. Application-level logging records what your app's queries did to your data: which records were read, inserted, or updated. For a complete picture, you need both: Retool audit logs for the 'who accessed Retool' and application-level logging for 'what data was accessed or changed.'
Can non-admin users access the Retool audit log?
No — the audit log is accessible only to Retool organization admins. Individual users can see their own activity in the Retool account settings page, but org-wide audit logs are admin-only. If you need to share audit data with security or compliance teams, export to CSV and share the file.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your project.
Book a free consultation