diff --git a/src/apphealthmonitor.js b/src/apphealthmonitor.js
index 7eab185b9..d2b03d465 100644
--- a/src/apphealthmonitor.js
+++ b/src/apphealthmonitor.js
@@ -22,6 +22,8 @@ let gHealthInfo = { }; // { time, appDownEvent }
 const OOM_MAIL_LIMIT = 60 * 60 * 1000; // 60 minutes
 let gLastOomMailTime = Date.now() - (5 * 60 * 1000); // pretend we sent email 5 minutes ago
 
+const AUDIT_SOURCE = { userId: null, username: 'healthmonitor' };
+
 function debugApp(app) {
     assert(typeof app === 'object');
 
@@ -44,7 +46,7 @@ function setHealth(app, health, callback) {
         if (!gHealthInfo[app.id].appDownEvent) return callback(null);
 
         // do not send mails for dev apps
-        if (!app.debugMode) eventlog.add(eventlog.ACTION_APP_UP, { app: app }, {});
+        if (!app.debugMode) eventlog.add(eventlog.ACTION_APP_UP, AUDIT_SOURCE, { app: app });
 
         gHealthInfo[app.id].appDownEvent = false;
     } else if (Math.abs(now - gHealthInfo[app.id].time) > UNHEALTHY_THRESHOLD) {
@@ -53,7 +55,7 @@ function setHealth(app, health, callback) {
         debugApp(app, 'marking as unhealthy since not seen for more than %s minutes', UNHEALTHY_THRESHOLD/(60 * 1000));
 
         // do not send mails for dev apps
-        if (!app.debugMode) eventlog.add(eventlog.ACTION_APP_DOWN, { app: app }, {});
+        if (!app.debugMode) eventlog.add(eventlog.ACTION_APP_DOWN, AUDIT_SOURCE, { app: app });
 
         gHealthInfo[app.id].appDownEvent = true;
     } else {
@@ -152,12 +154,8 @@ function processDockerEvents(intervalSecs, callback) {
 
                 // do not send mails for dev apps
                 if (notifyUser) {
-                    var auditSource = {
-                        containerId: containerId,
-                        app: app || null  // app can be null if it's an addon crash
-                    };
-
-                    eventlog.add(eventlog.ACTION_APP_OOM, auditSource, ev);
+                    // app can be null for addon containers
+                    eventlog.add(eventlog.ACTION_APP_OOM, AUDIT_SOURCE, { ev: ev, containerId: containerId, app: app || null });
 
                     gLastOomMailTime = now;
                 }
diff --git a/src/apps.js b/src/apps.js
index fee35d6e1..88cbf2555 100644
--- a/src/apps.js
+++ b/src/apps.js
@@ -380,6 +380,7 @@ function removeInternalFields(app) {
         'alternateDomains', 'ownerId', 'env', 'enableAutomaticUpdate', 'dataDir');
 }
 
+// non-admins can only see these
 function removeRestrictedFields(app) {
     return _.pick(app,
         'id', 'appStoreId', 'installationState', 'installationProgress', 'runState', 'health', 'ownerId',
diff --git a/src/logcollector.js b/src/logcollector.js
index 347737ba7..6bb2fbf3d 100644
--- a/src/logcollector.js
+++ b/src/logcollector.js
@@ -17,6 +17,8 @@ var CRASH_LOG_TIMESTAMP_OFFSET = 1000 * 60 * 60; // 60 min
 var CRASH_LOG_TIMESTAMP_FILE = '/tmp/crashlog.timestamp';
 var CRASH_LOG_STASH_FILE = '/tmp/crashlog';
 
+const AUDIT_SOURCE = { userId: null, username: 'healthmonitor' };
+
 function collectLogs(unitName, callback) {
     assert.strictEqual(typeof unitName, 'string');
     assert.strictEqual(typeof callback, 'function');
@@ -55,7 +57,7 @@ function sendFailureLogs(unitName) {
             return;
         }
 
-        eventlog.add(eventlog.ACTION_PROCESS_CRASH, { processName: unitName }, { crashLogFile: CRASH_LOG_STASH_FILE }, function (error) {
+        eventlog.add(eventlog.ACTION_PROCESS_CRASH, AUDIT_SOURCE, { processName: unitName, crashLogFile: CRASH_LOG_STASH_FILE }, function (error) {
             if (error) console.log(`Error sending crashlog. Logs stashed at ${CRASH_LOG_STASH_FILE}`);
 
             // write the new timestamp file and delete stash file
diff --git a/src/taskmanager.js b/src/taskmanager.js
index 237e33624..98121958d 100644
--- a/src/taskmanager.js
+++ b/src/taskmanager.js
@@ -34,6 +34,8 @@ var TASK_CONCURRENCY = 3;
 var NOOP_CALLBACK = function (error) { if (error) debug(error); };
 var gPaused = true;
 
+const AUDIT_SOURCE = { userId: null, username: 'taskmanager' };
+
 // resume app tasks when platform is ready or after a crash
 function resumeTasks(callback) {
     callback = callback || NOOP_CALLBACK;
@@ -151,9 +153,9 @@ function startAppTask(appId, callback) {
         if (code === null /* signal */ || (code !== 0 && code !== 50)) { // apptask crashed
             debug('Apptask crashed with code %s and signal %s', code, signal);
             appdb.update(appId, { installationState: appdb.ISTATE_ERROR, installationProgress: 'Apptask crashed with code ' + code + ' and signal ' + signal }, NOOP_CALLBACK);
-            eventlog.add(eventlog.ACTION_APP_TASK_CRASH, { appId: appId }, { crashLogFile: logFilePath }, NOOP_CALLBACK);
+            eventlog.add(eventlog.ACTION_APP_TASK_CRASH, AUDIT_SOURCE, { appId: appId, crashLogFile: logFilePath }, NOOP_CALLBACK);
         } else if (code === 50) {
-            eventlog.add(eventlog.ACTION_APP_TASK_CRASH, { appId: appId }, { crashLogFile: logFilePath }, NOOP_CALLBACK);
+            eventlog.add(eventlog.ACTION_APP_TASK_CRASH, AUDIT_SOURCE, { appId: appId, crashLogFile: logFilePath }, NOOP_CALLBACK);
         }
         delete gActiveTasks[appId];
         locker.unlock(locker.OP_APPTASK); // unlock event will trigger next task