Skip to main content

Audit Trail

Overview

Centralize Management System mencatat semua operasi penting ke OpenSearch audit-log-* index dengan hash chain untuk integrity.

Audit Events

Event Types

EventDescriptionTrigger
loginUser loginPOST /api/login
logoutUser logout-
searchLog searchPOST /api/v1/logs/list/paginate
exportData exportGET /api/v1/log-audit/export/*
createResource creationPOST /api/*
updateResource updatePUT /api/*
deleteResource deletionDELETE /api/*

Audit Log Format

{
"@timestamp": "2026-07-06T10:30:00Z",
"actor": "admin",
"action": "login",
"target": "system",
"result": "success",
"ip": "10.8.0.48",
"details": {
"method": "password"
},
"source_type": "audit",
"app_slug": "clm-backend",
"tenant_id": "bjb-syariah"
}

Implementation

Backend Logging

func (s *Server) handleLogin(w http.ResponseWriter, r *http.Request) {
// ... login logic ...

go func() {
auditDoc := map[string]any{
"@timestamp": time.Now().UTC().Format(time.RFC3339),
"actor": req.Username,
"action": "login",
"target": "system",
"result": "success",
"ip": r.RemoteAddr,
"details": map[string]any{
"method": "password",
},
"source_type": "audit",
"app_slug": "clm-backend",
"tenant_id": s.cfg.DefaultTenant,
}
indexName := "audit-log-" + time.Now().UTC().Format("2006.01.02")
s.search.IndexDocument(context.Background(), indexName, auditDoc)
}()
}

Search Audit Logs

# Search audit logs
curl -sk -u admin:MyStrong@OpenSearch2026! \
https://localhost:9200/audit-log-*/_search \
-H 'Content-Type: application/json' \
-d '{
"query": {
"bool": {
"must": [
{ "match": { "actor": "admin" } }
],
"filter": [
{ "range": { "@timestamp": { "gte": "now-7d" } } }
]
}
},
"sort": [
{ "@timestamp": { "order": "desc" } }
],
"size": 100
}'

Export

CSV Export

GET /api/v1/log-audit/export/csv?from=2026-07-01&to=2026-07-06

Excel Export

GET /api/v1/log-audit/export/excel?from=2026-07-01&to=2026-07-06

Retention

IndexRetentionDescription
audit-log-*90 daysAudit trail
logs-*Per policyApplication logs
wazuh-alerts-*30 daysSecurity alerts

Monitoring

Check Audit Logs

# Count audit logs today
curl -sk -u admin:MyStrong@OpenSearch2026! \
"https://localhost:9200/audit-log-$(date +%Y.%m.%d)/_count"

# List recent audit logs
curl -sk -u admin:MyStrong@OpenSearch2026! \
"https://localhost:9200/audit-log-*/_search?size=10&sort=@timestamp:desc"

Next Steps