CertAutoPilot logo CertAutoPilot
Get started

Audit & SIEM

HMAC-chained audit log, RFC 5424 syslog forwarding, CEF formatting, retention policies, and a replay-and-verify CLI.

01What gets audited

Every state-changing API call, every job phase transition, every login, every approval decision, every KEK rotation phase. Reads are not audited by default — turn on read auditing per project for sensitive deployments (it has measurable storage cost).

02HMAC chain

Each audit entry includes:

{
  "id":           "65f1a...",
  "ts":           "2026-04-28T10:42:11.443Z",
  "actor":        "alex@example.com",
  "event":        "cert.issued",
  "subject":      "cert/65f0...",
  "project":      "production",
  "data":         { ... event-specific ... },
  "prev_hmac":    "9f1b...",
  "hmac":         "ce42..."
}

hmac = HMAC-SHA-256(audit_secret, prev_hmac || canonical_json(rest)). Tampering with any entry — even just changing a timestamp — breaks the chain at that entry, and every entry afterwards.

03Verifying the chain

certautopilot audit verify --since 2026-01-01

The CLI walks the chain, reports the first broken link if any, and exits non-zero. Run it from cron daily; pipe to your SIEM. A broken chain = either a bug or a successful tamper attempt — investigate either way.

04Syslog forwarding

Forward to a SIEM in real-time over RFC 5424 syslog. Transports: UDP, TCP, TCP-with-TLS. Format: classical RFC 5424 or CEF (ArcSight-friendly).

Settings → Syslog
Destination: siem.example.com:6514
Transport:   TCP+TLS
Format:      CEF
TLS trust:   <paste root>

One forwarder per organisation, configured in-line on the form (host, port, transport, facility, app-name override, TLS CA). The forwarder is durable: events are persisted to disk before TCP send, so a SIEM outage doesn't lose events. On reconnect, the buffer drains.

05CEF mapping

CEF:0|CloudNativeWorks|CertAutoPilot|1.4.0|cert.issued|Certificate issued|3|
  src=10.0.5.21 spt= duser=alex@example.com
  cs1=production cs1Label=Project
  cs2=api.example.com cs2Label=CN
  cs3=Let's Encrypt cs3Label=Issuer
  end=2026-07-27T10:42:11Z

06Retention

Default: keep audit entries for 7 years. Configurable per organization (regulatory requirements vary). The pruner runs nightly and only deletes from the head of the chain — so verification still works for whatever window remains.

Pruning preserves verifiability

When the pruner removes the oldest N entries, it stores a signed checkpoint of prev_hmac at the new head. Future verifications start from that checkpoint instead of the original genesis.

07Storage

Audit entries live in their own MongoDB collection with a TTL index keyed off ts and the configured retention. Sized for ~1 KB per entry; expect ~30 GB/year for an active mid-size deployment.

08Export

Bulk export for legal-hold or DR:

certautopilot audit export --from 2024-01-01 --to 2024-12-31 \
  --out audit-2024.jsonl.gz

Output is JSON-Lines (one event per line), gzipped. Includes the chain checksum so the export can be re-verified offline.