Audit Logging
Audit logging provides a comprehensive, tamper-resistant record of all operations and certificate issuances within the Avassa system. This immutable trail is essential for security monitoring, compliance, and forensic analysis.
Purpose and Scope
Avassa's audit logging system records two categories of events:
- API Operations - All REST API calls made by users, applications, or system components
- Certificate Issuance - All certificates generated by the system's Certificate Authorities
Each event captures what happened, who performed it, when, where, and relevant context, ensuring full accountability across the distributed system.
Architecture
Audit events are published to Volga topics as real-time streams, enabling immediate monitoring, event correlation, and integration with external SIEM systems. Events are segregated into two topics to prevent unauthenticated requests from flooding and obscuring authenticated activity:
- Authenticated requests - Published to
system:audit-trail-log - Unauthenticated requests - Published to
system:unauthenticated-audit-trail-log
Logs are automatically streamed upward from local sites to the Control Tower, providing centralized visibility and tamper resistance. This hierarchical distribution ensures that even if a site is compromised, its audit trail remains intact at higher levels.
Event Types
There are two types of events in the audit log:
API Events
API events capture all REST API interactions, including configuration changes, read operations, action invocations, authentication, and authorization decisions. Each event records the complete request context: who made it, what they attempted, whether it succeeded, timing, and origin.
Certificate Events
Certificate events record every certificate issued by any Certificate Authority, including server, client, auto-generated, and application certificates. Events capture the issuing CA, certificate properties (validity period, subject, SANs), and the complete certificate.
Security and Privacy
Sensitive Data Protection
Sensitive data never appears in plain text. All sensitive information (access tokens, credentials, cryptographic material) is hashed using a tenant-specific HMAC before logging. This balances privacy (data cannot be extracted) with traceability (operations using the same token can be correlated). The tenant-specific HMAC prevents cross-tenant correlation.
The hashed token serves as a session identifier, enabling tracking of all operations in a session without exposing the token itself. To search for specific sensitive values, the plain text can be hashed using the audit HMAC function and matched against events.
Immutability and Tamper Resistance
Multiple layers protect against tampering:
- Cryptographic signing - Each event is signed when added to the Volga topic
- Immediate replication - Events stream upward as they occur
- Write-once semantics - Events cannot be modified once written
- Hierarchical distribution - Logs exist at multiple site levels
- Append-only structure - Deletions leave obvious gaps
Any attempt to alter an event is detected through signature verification. Even if an attacker gains control of a site, they cannot retroactively modify or delete its audit trail without detection.
Applications
Audit logging serves several critical functions:
Compliance and Governance - Provides evidentiary basis for regulatory requirements (SOC 2, ISO 27001, GDPR, HIPAA), demonstrating who accessed what, when changes occurred, and whether access controls were enforced.
Security Monitoring - Enables detection of anomalous behavior, privilege escalation attempts, and security incidents. Real-time streaming allows immediate alerting on suspicious activities.
Operational Intelligence - Request timing reveals performance bottlenecks, usage patterns inform capacity planning, and error rates guide troubleshooting.
Incident Response - Essential for timeline reconstruction, scope determination, root cause analysis, and remediation verification during security incidents.
Accessing the Audit Trail
Audit events are published to Volga topics based on authentication status:
- Authenticated requests:
system:audit-trail-log - Unauthenticated requests:
system:unauthenticated-audit-trail-log
These topics provide real-time streams for immediate analysis and monitoring.
Summary
Audit logging is foundational to Avassa's security architecture. It provides comprehensive coverage of all API operations and certificate issuances, protects privacy through HMAC hashing, ensures tamper resistance via cryptographic signing and distributed replication, and enables real-time monitoring.
The immutable audit trail is essential for security, compliance, operations, and incident response, enabling organizations to understand, monitor, and prove the correct operation of their infrastructure.
For information about the authentication and authorization systems that generate audit events, see Authentication and Authorization.