Audit Logging¶
CertifyClouds maintains a complete audit trail of all user actions and system events for compliance and security monitoring.
Overview¶
The audit log captures:
- User actions: Login, logout, configuration changes
- Discovery events: Scan starts, completions, errors
- Rotation events: Credential rotations (success/failure)
- Sync events: Multi-cloud sync operations
- System events: License validation, scheduled tasks
What's Logged¶
User Actions¶
| Event | Description | Details Captured |
|---|---|---|
auth.login.success | User logged in | Username, IP address, user agent |
auth.login.failed | Failed login attempt | Username, IP, failure reason |
auth.logout | User logged out | Username |
auth.account.locked | Account locked after failures | Username, attempt count |
user.created | New user added | Username, role, created by |
user.updated | User modified | Changed fields, modified by |
user.deleted | User removed | Username, deleted by |
Discovery Events¶
| Event | Description | Details Captured |
|---|---|---|
discovery.scan.started | Scan initiated | Mode, subscriptions, initiated by |
discovery.scan.completed | Scan finished | Duration, vault count, asset count |
discovery.scan.failed | Scan failed | Error message, affected vaults |
discovery.vault.error | Vault access error | Vault name, error details |
Rotation Events (PRO + ENTERPRISE)¶
| Event | Description | Details Captured |
|---|---|---|
rotation.started | Rotation job initiated | App name, secret name, initiated by |
rotation.completed | Rotation successful | New expiry date, updated vaults |
rotation.failed | Rotation failed | Error message, rollback status |
Sync Events (PRO + ENTERPRISE)¶
| Event | Description | Details Captured |
|---|---|---|
sync.started | Sync job initiated | Source, target, secret count |
sync.completed | Sync successful | Synced count, duration |
sync.failed | Sync failed | Error message, failed secrets |
Configuration Changes¶
| Event | Description | Details Captured |
|---|---|---|
settings.updated | Settings modified | Setting name, old/new value, modified by |
subscription.added | Subscription added | Subscription ID, added by |
subscription.removed | Subscription removed | Subscription ID, removed by |
alert.rule.created | Alert rule created | Rule details, created by |
alert.rule.updated | Alert rule modified | Changed fields, modified by |
alert.rule.deleted | Alert rule deleted | Rule ID, deleted by |
Viewing Audit Logs¶
From the UI¶
- Navigate to the Audit tab
- View the audit log table with:
- Timestamp
- Event type
- Actor (user or system)
- Description
- Details
Filtering¶
Filter audit logs by:
| Filter | Options |
|---|---|
| Date range | Start/end date |
| Event type | Login, scan, rotation, etc. |
| Actor | Specific user or "system" |
| Severity | Info, warning, error |
Search¶
Search across audit entries by:
- Event type
- Actor name
- Description text
- Resource name (vault, secret, etc.)
Audit entry contents¶
Each audit entry records:
- Timestamp (UTC) - when the event was recorded
- Action - what happened, in dotted form (e.g.
discovery.scan.completed) - Actor - who or what triggered the event (authenticated user,
worker,system) - Resource type + ID - the object the event applied to (vault, secret, rotation record, etc.)
- Details - action-specific context (duration, counts, error messages, before / after values)
- Severity - info / warning / error / critical, derived from the action
Exact JSON shape is shown in your deployment's /docs at the /api/audit route.
Retention¶
Default Retention¶
Audit logs are retained for 90 days by default.
Configure Retention¶
- Go to Settings > Advanced
- Find Audit Log Retention
- Set retention period (30-365 days)
- Save
Archival¶
For compliance requirements needing longer retention:
- Export regularly: Download logs before retention period
- External storage: Send to Azure Log Analytics, Splunk, etc.
- Backup database: Include audit tables in backups
Export¶
Export options¶
The audit log exports in two evidence-grade formats:
| Format | Use case |
|---|---|
| CSV (default) | Hash-chained CSV with HMAC-signed manifest line. Every row carries a SHA-256 chained from the previous row + a genesis constant; the trailing manifest signs the final hash with the deployment's SECRET_KEY. A tampered row breaks the chain on re-walk. |
| PDF evidence bundle (1.4.14) | Auditor-grade PDF: cover page (tenant, exported_at, actor, CC version, row count, CSV SHA-256), the original CSV embedded verbatim as a PDF attachment, and a Customer Management Assertion page the customer signs to attest accuracy. |
Both formats are admin-only.
Export via UI¶
- Go to Audit tab
- Apply desired filters
- Click the export menu
- Choose Hash-chained CSV or Evidence bundle (PDF)
- Download
Export via API¶
GET /api/audit/export?format=csv or ?format=pdf - admin auth required. See your deployment's /docs for the full query-parameter shape (filter parameters: action, actor, resource, start, end).
Forwarding to SIEM¶
The audit log itself is the source of truth and can be exported on demand for SIEM ingestion. If you want continuous forwarding rather than periodic export:
- Azure Log Analytics - configure container Diagnostic Settings on your CertifyClouds Container App / ACI; the running container's stdout / stderr (which mirrors audit events) flows into Log Analytics for Kusto querying.
- Splunk / Datadog / etc. - create a webhook endpoint at your collector and configure a generic-webhook alert rule scoped to the audit event types you care about.
- Custom integrations - pull entries via
GET /api/auditon a schedule.
As input to your compliance evidence¶
The audit log records what CertifyClouds itself did, when, and at whose request - not what happened across your wider Azure tenant. It's useful as one input to a customer's overall audit narrative around credential lifecycle management, but it doesn't substitute for Azure platform logs (Activity Log, Microsoft Entra sign-in logs, Diagnostic Settings) that record activity in your tenant outside the CertifyClouds tool.
See the Compliance Disclaimer for the full framing of what CertifyClouds evidences vs what remains a customer responsibility.
API access¶
Audit endpoints are listed in API Endpoints; exact query parameters, response shapes, and rate limits are in your deployment's /docs.
Best Practices¶
- Review regularly: Check audit logs weekly for anomalies
- Set up alerts: Configure alerts for security events
- Export for compliance: Archive logs before retention expires
- Monitor failed logins: Watch for brute force attempts
- Track configuration changes: Review who modified settings