Skip to content

Add Audit log support#709

Open
Mikearaya wants to merge 10 commits into
masterfrom
audit-log
Open

Add Audit log support#709
Mikearaya wants to merge 10 commits into
masterfrom
audit-log

Conversation

@Mikearaya

@Mikearaya Mikearaya commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

OCSF-Compliant Audit Logging

Core Engine (packages/events/src/audit/)

  • File-based, append-only audit log using OCSF v1.4.0 schema with JSON Lines storage
  • SHA-256 hash chain for tamper detection — every entry links to the previous via cryptographic hash
  • Three event classes: Authentication (login/logout/failed), Account Changes (CRUD/password/roles), API Activity (orders/payments/products/etc.)
  • 97 platform events automatically mapped to OCSF entries via audit-integration.ts
  • AsyncLocalStorage-based request context (runWithAuditContext) threads user identity through async call stacks without explicit parameter passing
  • HTTP collector push for forwarding to SIEM systems (OpenTelemetry, Fluentd, Vector)
  • Configurable retention with file pruning, UNCHAINED_AUDIT_LOG_DIR env var support
  • Write lock recovery — a failed disk write logs the error and doesn't block subsequent entries

GraphQL API (packages/api/)

  • 4 new queries: auditLogs, auditLogsCount, auditChainStatus, failedLoginAttempts
  • Filters: classUids, userId, success, from/to date range, queryText search
  • Admin-only access via ACL roles
  • Both Express and Fastify adapters wrap GraphQL handlers with audit context

Admin UI (admin-ui/)

  • Security & Audit Log page at /settings/security
  • AuditLogTable with typed entries, clickable user links, failure highlighting
  • AuditLogFilters — date range, class, status, text search, user ID
  • AuditEntryDetail side panel — event info, actor, source endpoint, API details, hash chain, raw OCSF JSON, changed data
  • ChainStatusBanner — real-time hash chain integrity verification with error states
  • FailedLoginsWidget — 24h and 7-day failed login counts with error states
  • CSV and JSONL export via work queue
  • Full i18n — all labels localized in English and German (class names, severity levels, activity names, filter labels, status labels)
  • Infinite scroll pagination

Worker Plugin (packages/plugins/)

  • Audit log prune worker — daily scheduled job at 3 AM, removes files older than retention period

Tests

  • 20 integration tests (tests/audit-log.test.js) — queries, all filter types (to, from, classUids, success, userId, queryText), authorization (admin/anon/normal user), login event capture, export via work queue (CSV, JSONL, with filters)
  • 12 compliance tests (tests/audit-compliance.test.js) — full checkout flow audit trail, hash chain integrity, sequential sequence numbers, PCI DSS 10.2.1, SOC 2, GDPR Article 30

Observability

  • Startup log: "Audit integration configured: 97/97 events subscribed" with warnings for any missing events

@Mikearaya Mikearaya linked an issue Jun 8, 2026 that may be closed by this pull request
13 tasks
@Mikearaya Mikearaya requested a review from pozylon June 9, 2026 10:47
@Mikearaya

Copy link
Copy Markdown
Contributor Author

the audit log is designed for 3rd-party integration through two mechanisms:

  1. OCSF v1.4.0 compliance — The events use the Open Cybersecurity Schema Framework, which is natively supported by:

AWS Security Lake (direct ingestion)
Splunk (OCSF add-on)
Datadog (Cloud SIEM)
Google Chronicle / SecOps
CrowdStrike Falcon LogScale
Elastic Security
Any SIEM that accepts OCSF JSON

  1. HTTP collector push — The collectorUrl config option pushes batches of events to any HTTP endpoint. This works with:
    OpenTelemetry Collector (OTLP HTTP receiver)
    Fluentd / Fluent Bit (HTTP input)
    Vector (HTTP source)
    Logstash (HTTP input)
    Custom webhooks
    To enable push, configure it in startPlatform:
await startPlatform({
  auditLog: {
    collectorUrl: 'https://your-siem.example.com/v1/logs',
    collectorHeaders: { 'Authorization': 'Bearer ...' },
    batchSize: 10,
    flushIntervalMs: 5000,
  },
});

@pozylon

pozylon commented Jun 26, 2026

Copy link
Copy Markdown
Member

huh... i thought there is already an audit log feature on masteR? @Mikearaya

@Mikearaya

Mikearaya commented Jun 26, 2026

Copy link
Copy Markdown
Contributor Author

@pozylon, yes, the engine already had a basic file-based audit log implementation, with HTTP push support to collectors and logging for only a few critical operations. This feature branch is mainly focused on making audit logs accessible through the Admin UI and expanding the number of operations captured.

In general, this branch:

  • Migrates audit log storage from the filesystem to MongoDB, since querying large log volumes from files becomes inefficient.

  • Adds a GraphQL API with queries for:

    • auditLogs
    • auditLogsCount
    • auditChainStatus
    • failedLoginAttempts
  • Introduces a complete Admin UI for audit management, including:

    • Audit log browsing
    • Filtering
    • Detailed log views
    • Audit chain status banner
    • Failed login attempts widget
    • Internationalization (i18n)
  • Adds a bulk export handler for audit

@Mikearaya Mikearaya force-pushed the audit-log branch 2 times, most recently from ccb9f41 to 0124a0c Compare July 8, 2026 19:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Feature Request: Expose audit log in admin UI

2 participants