Audit Trail
Overview
Centralize Management System mencatat semua operasi penting ke OpenSearch audit-log-* index dengan hash chain untuk integrity.
Audit Events
Event Types
| Event | Description | Trigger |
|---|---|---|
login | User login | POST /api/login |
logout | User logout | - |
search | Log search | POST /api/v1/logs/list/paginate |
export | Data export | GET /api/v1/log-audit/export/* |
create | Resource creation | POST /api/* |
update | Resource update | PUT /api/* |
delete | Resource deletion | DELETE /api/* |
Audit Log Format
{
"@timestamp": "2026-07-06T10:30:00Z",
"actor": "admin",
"action": "login",
"target": "system",
"result": "success",
"ip": "10.8.0.48",
"details": {
"method": "password"
},
"source_type": "audit",
"app_slug": "clm-backend",
"tenant_id": "bjb-syariah"
}
Implementation
Backend Logging
func (s *Server) handleLogin(w http.ResponseWriter, r *http.Request) {
// ... login logic ...
go func() {
auditDoc := map[string]any{
"@timestamp": time.Now().UTC().Format(time.RFC3339),
"actor": req.Username,
"action": "login",
"target": "system",
"result": "success",
"ip": r.RemoteAddr,
"details": map[string]any{
"method": "password",
},
"source_type": "audit",
"app_slug": "clm-backend",
"tenant_id": s.cfg.DefaultTenant,
}
indexName := "audit-log-" + time.Now().UTC().Format("2006.01.02")
s.search.IndexDocument(context.Background(), indexName, auditDoc)
}()
}
Search Audit Logs
# Search audit logs
curl -sk -u admin:MyStrong@OpenSearch2026! \
https://localhost:9200/audit-log-*/_search \
-H 'Content-Type: application/json' \
-d '{
"query": {
"bool": {
"must": [
{ "match": { "actor": "admin" } }
],
"filter": [
{ "range": { "@timestamp": { "gte": "now-7d" } } }
]
}
},
"sort": [
{ "@timestamp": { "order": "desc" } }
],
"size": 100
}'
Export
CSV Export
GET /api/v1/log-audit/export/csv?from=2026-07-01&to=2026-07-06
Excel Export
GET /api/v1/log-audit/export/excel?from=2026-07-01&to=2026-07-06
Retention
| Index | Retention | Description |
|---|---|---|
audit-log-* | 90 days | Audit trail |
logs-* | Per policy | Application logs |
wazuh-alerts-* | 30 days | Security alerts |
Monitoring
Check Audit Logs
# Count audit logs today
curl -sk -u admin:MyStrong@OpenSearch2026! \
"https://localhost:9200/audit-log-$(date +%Y.%m.%d)/_count"
# List recent audit logs
curl -sk -u admin:MyStrong@OpenSearch2026! \
"https://localhost:9200/audit-log-*/_search?size=10&sort=@timestamp:desc"
Next Steps
- RBAC - Role-Based Access Control
- ISO Compliance - Compliance features
- OpenSearch - Storage