← Back to reference

Audit Logging Guide

What is Recorded

TriggerWhat
Queryprincipal, route, query body hash, scope (tenant)
Trace downloadprincipal, trace_id, scope, bytes
Remediation approvalprincipal, action, evidence hash, policy tier
Node drainprincipal, host, reason
Config changeprincipal, file, old_hash, new_hash
Secret accessprincipal, secret path, scope
Exportprincipal, type, scope, byte count, target sink

Storage

Append-only file with hash chain:

record_0 = { ...fields..., previous_hash: "0000..0", current_hash: H(serialized_0 || "0000..0") }
record_n = { ...fields..., previous_hash: H(serialized_(n-1) || previous_hash_(n-1)), current_hash: H(serialized_n || previous_hash_n) }

A tamper on any record breaks the chain at the next link.

Verifier

denpex-control-plane audit-verify --since 24h

Walks the chain and reports the first broken link or OK if intact.

Real-Time Streaming

Audit events are also streamed to:

  • A managed SIEM (Splunk HEC, Elastic ECS) with a per-tenant index prefix.
  • An optional Kafka topic that customers can consume.

Streaming is HMAC-signed so a tampered intermediate can be detected.

Per-Tenant Boundaries

A cross-tenant audit (PlatformAdmin only) is itself tagged cross_tenant=true and is also streamed into a separate "cross-tenant" audit channel so the customer's CISO/Security team sees it.

Retention

  • Free tier: 30 days
  • Team: 90 days
  • Scale: 1 year
  • Growth: 5 years
  • Air-gap: indefinite

Compliance Hooks

  • SOC2 CC7.2 — every privileged op audit-logged.
  • ISO 27001 A.12.4.1 — event logging.
  • HIPAA 164.312(b) — audit controls.