Skip to content

Audit Logging

CertifyClouds maintains a complete audit trail of all user actions and system events for compliance and security monitoring.

Overview

The audit log captures:

  • User actions: Login, logout, configuration changes
  • Discovery events: Scan starts, completions, errors
  • Rotation events: Credential rotations (success/failure)
  • Sync events: Multi-cloud sync operations
  • System events: License validation, scheduled tasks

What's Logged

User Actions

Event Description Details Captured
auth.login.success User logged in Username, IP address, user agent
auth.login.failed Failed login attempt Username, IP, failure reason
auth.logout User logged out Username
auth.account.locked Account locked after failures Username, attempt count
user.created New user added Username, role, created by
user.updated User modified Changed fields, modified by
user.deleted User removed Username, deleted by

Discovery Events

Event Description Details Captured
discovery.scan.started Scan initiated Mode, subscriptions, initiated by
discovery.scan.completed Scan finished Duration, vault count, asset count
discovery.scan.failed Scan failed Error message, affected vaults
discovery.vault.error Vault access error Vault name, error details

Rotation Events (PRO)

Event Description Details Captured
rotation.started Rotation job initiated App name, secret name, initiated by
rotation.completed Rotation successful New expiry date, updated vaults
rotation.failed Rotation failed Error message, rollback status

Sync Events (PRO)

Event Description Details Captured
sync.started Sync job initiated Source, target, secret count
sync.completed Sync successful Synced count, duration
sync.failed Sync failed Error message, failed secrets

Configuration Changes

Event Description Details Captured
settings.updated Settings modified Setting name, old/new value, modified by
subscription.added Subscription added Subscription ID, added by
subscription.removed Subscription removed Subscription ID, removed by
alert.rule.created Alert rule created Rule details, created by
alert.rule.updated Alert rule modified Changed fields, modified by
alert.rule.deleted Alert rule deleted Rule ID, deleted by

Viewing Audit Logs

From the UI

  1. Navigate to the Audit tab
  2. View the audit log table with:
  3. Timestamp
  4. Event type
  5. Actor (user or system)
  6. Description
  7. Details

Filtering

Filter audit logs by:

Filter Options
Date range Start/end date
Event type Login, scan, rotation, etc.
Actor Specific user or "system"
Severity Info, warning, error

Search across audit entries by:

  • Event type
  • Actor name
  • Description text
  • Resource name (vault, secret, etc.)

Audit Entry Structure

Each audit entry contains:

{
  "id": "audit-123",
  "timestamp": "2025-01-15T10:30:00Z",
  "event_type": "discovery.scan.completed",
  "actor": {
    "type": "user",
    "id": "user-456",
    "name": "admin@company.com"
  },
  "resource": {
    "type": "scan",
    "id": "scan-789"
  },
  "description": "Discovery scan completed successfully",
  "details": {
    "mode": "full",
    "duration_seconds": 45,
    "vaults_scanned": 12,
    "secrets_found": 234
  },
  "severity": "info",
  "ip_address": "192.0.2.50",
  "user_agent": "Mozilla/5.0..."
}

Retention

Default Retention

Audit logs are retained for 90 days by default.

Configure Retention

  1. Go to Settings > Advanced
  2. Find Audit Log Retention
  3. Set retention period (30-365 days)
  4. Save

Archival

For compliance requirements needing longer retention:

  1. Export regularly: Download logs before retention period
  2. External storage: Send to Azure Log Analytics, Splunk, etc.
  3. Backup database: Include audit tables in backups

Export

Export Options

Export audit logs in multiple formats:

Format Use Case
JSON Integration with SIEM tools
CSV Spreadsheet analysis
PDF Compliance documentation

Export via UI

  1. Go to Audit tab
  2. Apply desired filters
  3. Click Export
  4. Select format
  5. Download file

Export via API

GET /audit/export?format=json&start_date=2025-01-01&end_date=2025-01-31

Integration with SIEM

Azure Log Analytics

Forward audit logs to Log Analytics:

  1. Configure Log Analytics workspace
  2. Set up diagnostic settings
  3. Send CertifyClouds container logs
  4. Query with Kusto (KQL)

Splunk

Use the generic webhook to send audit events to Splunk:

  1. Create Splunk HTTP Event Collector
  2. Configure webhook in CertifyClouds alerts
  3. Send audit.* events to collector

Custom Integration

Use the audit API to pull logs into any system:

# Get recent audit entries
curl http://localhost:8080/audit/entries \
  -H "Authorization: Bearer $TOKEN" \
  -G \
  --data-urlencode "limit=100" \
  --data-urlencode "offset=0"

Compliance Support

Audit logs support compliance requirements:

SOC 2

  • CC6.1: User access tracking
  • CC7.2: Activity monitoring
  • CC7.5: Incident logging

ISO 27001

  • A.12.4.1: Event logging
  • A.12.4.2: Protection of log information
  • A.12.4.3: Administrator logs

NIST 800-53

  • AU-2: Auditable events
  • AU-3: Content of audit records
  • AU-6: Audit review
  • AU-12: Audit generation

API Reference

List Audit Entries

GET /audit/entries

Query parameters:

Parameter Description
start_date Filter from date (ISO 8601)
end_date Filter to date (ISO 8601)
event_type Filter by event type
actor Filter by actor
limit Max entries to return
offset Pagination offset

Get Single Entry

GET /audit/entries/{entry_id}

Export Entries

GET /audit/export

Query parameters:

Parameter Description
format json, csv, or pdf
start_date Export from date
end_date Export to date

Best Practices

  1. Review regularly: Check audit logs weekly for anomalies
  2. Set up alerts: Configure alerts for security events
  3. Export for compliance: Archive logs before retention expires
  4. Monitor failed logins: Watch for brute force attempts
  5. Track configuration changes: Review who modified settings