Audit Log
CHAD maintains a complete audit trail of all user actions. This supports compliance requirements and helps investigate incidents.What’s Logged
Every significant action is recorded:User Actions
| Action | Description |
|---|---|
user.login | User logged in |
user.logout | User logged out |
user.create | User account created |
user.update | User account modified |
user.delete | User account deleted |
user.password_change | Password changed |
user.2fa_enabled | 2FA activated |
user.2fa_disabled | 2FA deactivated |
Rule Actions
| Action | Description |
|---|---|
rule.create | Rule created |
rule.update | Rule modified |
rule.delete | Rule deleted |
rule.deploy | Rule deployed |
rule.undeploy | Rule undeployed |
rule.snooze | Rule snoozed |
rule.unsnooze | Rule unsnoozed |
Alert Actions
| Action | Description |
|---|---|
alert.acknowledge | Alert acknowledged |
alert.resolve | Alert resolved |
alert.false_positive | Marked false positive |
alert.comment | Comment added |
Configuration Actions
| Action | Description |
|---|---|
settings.update | Settings modified |
index_pattern.create | Index pattern created |
index_pattern.update | Index pattern modified |
index_pattern.delete | Index pattern deleted |
exception.create | Exception rule created |
exception.delete | Exception rule deleted |
Viewing Audit Logs
Navigate to Audit Log in the sidebar.Filters
Filter by:| Filter | Options |
|---|---|
| Time range | Last hour, day, week, custom |
| User | Specific user |
| Action | Action type |
| Resource | Resource type |
Search
Full-text search across:- Action descriptions
- Resource names
- User details
- Changed values
Export
Export for compliance:- Apply filters
- Click Export
- Choose format (CSV, JSON)
- Download
Audit Entry Details
Each entry includes:| Field | Description |
|---|---|
| Timestamp | When the action occurred |
| User | Who performed the action |
| Action | What was done |
| Resource | What was affected |
| Resource ID | Unique identifier |
| IP Address | User’s IP address |
| Details | Before/after values |
Example Entry
Storage
PostgreSQL
Primary storage for audit logs:- Queryable via UI
- Retained based on configuration
- Used for compliance exports
OpenSearch (Optional)
Secondary storage for search:- Full-text search capabilities
- Longer retention possible
- Index:
chad-audit
Retention
Configure retention in Settings > Audit:| Setting | Default | Description |
|---|---|---|
| PostgreSQL retention | 90 days | Days to keep in database |
| OpenSearch retention | 365 days | Days to keep in search index |
Compliance Use Cases
SOC 2
Demonstrate:- Access control enforcement
- Change management
- Monitoring capabilities
PCI DSS
Show:- User activity tracking
- Configuration change logs
- Access to sensitive data
HIPAA
Document:- Who accessed what, when
- Configuration changes
- Security event responses
Investigation Use Cases
Unauthorized Changes
- Filter by resource type
- Find unexpected changes
- Identify responsible user
- Review IP addresses
Incident Response
- Filter by time range
- See all actions during incident
- Correlate with security alerts
- Document timeline
Access Review
- Filter by user
- Review all their actions
- Verify appropriate access
- Document review
Best Practices
Set appropriate retention
Set appropriate retention
Balance storage costs with compliance requirements.
Review regularly
Review regularly
Periodic audit log review catches unauthorized activity.
Export for compliance
Export for compliance
Maintain offline copies for audit periods.
Protect the logs
Protect the logs
Audit logs should be tamper-evident and access-controlled.
Monitor for anomalies
Monitor for anomalies
Unusual admin activity may indicate compromise.
Troubleshooting
Logs not appearing
- Check action is auditable
- Verify user session is valid
- Check database connectivity
- Review error logs
Search not working
- Verify OpenSearch audit is enabled
- Check index exists
- Review field mappings
Export fails
- Reduce time range
- Check disk space
- Try smaller batch