Audit & SIEM
HMAC-chained audit log, RFC 5424 syslog forwarding, 30-day retention with SIEM export, and a replay-and-verify CLI.
What gets audited
Every state-changing API call, every job phase transition, every login, every approval decision, every KEK rotation phase. Reads are not audited by default — turn on read auditing per project for sensitive deployments (it has measurable storage cost).
HMAC chain
Each audit entry includes:
{
"id": "65f1a...",
"ts": "2026-04-28T10:42:11.443Z",
"actor": "alex@example.com",
"event": "cert.issued",
"subject": "cert/65f0...",
"project": "production",
"data": { ... event-specific ... },
"prev_hmac": "9f1b...",
"hmac": "ce42..."
}
hmac = HMAC-SHA-256(audit_secret, prev_hmac || canonical_json(rest)). Tampering with any entry — even just changing a timestamp — breaks the chain at that entry, and every entry afterwards.
Verifying the chain
certautopilot audit verify --since 2026-01-01
The CLI walks the chain, reports the first broken link if any, and exits non-zero. Run it from cron daily; pipe to your SIEM. A broken chain = either a bug or a successful tamper attempt — investigate either way.
Syslog forwarding
Forward to a SIEM in real-time over RFC 5424 syslog. Transports: UDP, TCP, TCP-with-TLS (TLS ≥ 1.2, custom CA and optional mTLS supported).
Settings → Syslog
Destination: siem.example.com:6514
Transport: TCP+TLS
TLS trust: <paste root>
One forwarder per organisation. Delivery is durable: events are queued in MongoDB before send, so a SIEM outage doesn't lose events — the queue drains with backoff once the SIEM is reachable again.
Full field mapping, settings reference, and troubleshooting: Syslog forwarding.
Retention
Audit entries are kept for 30 days — a MongoDB TTL index on the audit collection deletes older entries automatically. For longer regulatory windows, forward to a SIEM (syslog) and/or run periodic exports; the SIEM becomes the long-term store.
Storage
Audit entries live in their own MongoDB collection with a 30-day TTL index. Sized for ~1 KB per entry.
Export
Bulk export for legal-hold or DR:
certautopilot audit export --from 2024-01-01 --to 2024-12-31 \
--out audit-2024.jsonl.gz
Output is JSON-Lines (one event per line), gzipped. Includes the chain checksum so the export can be re-verified offline.