Audit Logging Guide
What is Recorded
| Trigger | What |
|---|---|
| Query | principal, route, query body hash, scope (tenant) |
| Trace download | principal, trace_id, scope, bytes |
| Remediation approval | principal, action, evidence hash, policy tier |
| Node drain | principal, host, reason |
| Config change | principal, file, old_hash, new_hash |
| Secret access | principal, secret path, scope |
| Export | principal, type, scope, byte count, target sink |
Storage
Append-only file with hash chain:
record_0 = { ...fields..., previous_hash: "0000..0", current_hash: H(serialized_0 || "0000..0") }
record_n = { ...fields..., previous_hash: H(serialized_(n-1) || previous_hash_(n-1)), current_hash: H(serialized_n || previous_hash_n) }
A tamper on any record breaks the chain at the next link.
Verifier
denpex-control-plane audit-verify --since 24h
Walks the chain and reports the first broken link or OK if intact.
Real-Time Streaming
Audit events are also streamed to:
- A managed SIEM (Splunk HEC, Elastic ECS) with a per-tenant index prefix.
- An optional Kafka topic that customers can consume.
Streaming is HMAC-signed so a tampered intermediate can be detected.
Per-Tenant Boundaries
A cross-tenant audit (PlatformAdmin only) is itself tagged cross_tenant=true and is also streamed into a separate "cross-tenant" audit channel so the customer's CISO/Security team sees it.
Retention
- Free tier: 30 days
- Team: 90 days
- Scale: 1 year
- Growth: 5 years
- Air-gap: indefinite
Compliance Hooks
- SOC2 CC7.2 — every privileged op audit-logged.
- ISO 27001 A.12.4.1 — event logging.
- HIPAA 164.312(b) — audit controls.