Skip to main content

Audit & SIEM

HMAC-chained audit log, RFC 5424 syslog forwarding, 30-day retention with SIEM export, and a replay-and-verify CLI.

What gets audited

Every state-changing API call, every job phase transition, every login, every approval decision, every KEK rotation phase. Reads are not audited by default — turn on read auditing per project for sensitive deployments (it has measurable storage cost).

HMAC chain

Each audit entry includes:

{
"id": "65f1a...",
"ts": "2026-04-28T10:42:11.443Z",
"actor": "alex@example.com",
"event": "cert.issued",
"subject": "cert/65f0...",
"project": "production",
"data": { ... event-specific ... },
"prev_hmac": "9f1b...",
"hmac": "ce42..."
}

hmac = HMAC-SHA-256(audit_secret, prev_hmac || canonical_json(rest)). Tampering with any entry — even just changing a timestamp — breaks the chain at that entry, and every entry afterwards.

Verifying the chain

certautopilot audit verify --since 2026-01-01

The CLI walks the chain, reports the first broken link if any, and exits non-zero. Run it from cron daily; pipe to your SIEM. A broken chain = either a bug or a successful tamper attempt — investigate either way.

Syslog forwarding

Forward to a SIEM in real-time over RFC 5424 syslog. Transports: UDP, TCP, TCP-with-TLS (TLS ≥ 1.2, custom CA and optional mTLS supported).

Settings → Syslog
Destination: siem.example.com:6514
Transport: TCP+TLS
TLS trust: <paste root>

One forwarder per organisation. Delivery is durable: events are queued in MongoDB before send, so a SIEM outage doesn't lose events — the queue drains with backoff once the SIEM is reachable again.

Full field mapping, settings reference, and troubleshooting: Syslog forwarding.

Retention

Audit entries are kept for 30 days — a MongoDB TTL index on the audit collection deletes older entries automatically. For longer regulatory windows, forward to a SIEM (syslog) and/or run periodic exports; the SIEM becomes the long-term store.

Storage

Audit entries live in their own MongoDB collection with a 30-day TTL index. Sized for ~1 KB per entry.

Export

Bulk export for legal-hold or DR:

certautopilot audit export --from 2024-01-01 --to 2024-12-31 \
--out audit-2024.jsonl.gz

Output is JSON-Lines (one event per line), gzipped. Includes the chain checksum so the export can be re-verified offline.

See also