Skip to content

Audit Logging

MazeVault Audit Trail and SIEM Integration

Document Version: 1.2.0
Last Updated: 2026-04-19

1. Overview

MazeVault maintains a comprehensive audit trail of all operations performed on the platform. Audit logs are designed for compliance evidence, forensic analysis, and security monitoring.

2. Audited Events

Authentication Events

Event Description Severity
auth.login.success Successful user authentication Info
auth.login.failure Failed authentication attempt Warning
auth.logout User logout Info
auth.mfa.enabled MFA enabled for account Info
auth.mfa.disabled MFA disabled for account Warning
auth.session.expired Session timeout Info
auth.token.revoked JWT token manually revoked Warning

Secret Operations

Event Description Severity
secret.created New secret created Info
secret.read Secret value accessed Info
secret.updated Secret value or metadata modified Info
secret.deleted Secret permanently deleted Warning
secret.rotated Secret value rotated Info
secret.shared Secret shared with user/team Info
secret.version.rollback Secret rolled back to previous version Warning

Certificate Operations

Event Description Severity
cert.requested Certificate signing request submitted Info
cert.issued Certificate issued Info
cert.revoked Certificate revoked Warning
cert.renewed Certificate renewed Info
cert.imported Certificate imported Info
cert.exported Certificate exported (with private key) Warning
cert.deleted Certificate permanently deleted Warning

Access Control Events

Event Description Severity
rbac.role.created New role created Info
rbac.role.modified Role permissions changed Warning
rbac.role.deleted Role deleted Warning
rbac.user.assigned User assigned to role Info
rbac.user.removed User removed from role Warning
rbac.permission.denied Access denied due to insufficient permissions Warning

System Events

Event Description Severity
system.config.changed System configuration modified Warning
system.backup.created Backup operation completed Info
system.backup.restored System restored from backup Critical
system.key.rotated Encryption key rotated Warning
system.license.enrolled License enrolled Info
system.license.expired License expired Critical

KeyTab Operations

Since v1.0.38

Event Description Severity
keytab.imported KeyTab file imported Info
keytab.updated KeyTab metadata or binary updated Info
keytab.deleted KeyTab permanently deleted Warning
keytab.downloaded KeyTab binary downloaded (decrypted) Warning
keytab.discovered Agent reported keytab discovery Info
keytab.compliance.checked Cipher compliance evaluated Info
keytab.policy.updated Organization cipher policy modified Warning

Report Operations

Since v1.0.38

Event Description Severity
report.triggered Weekly report manually triggered Info
report.settings.updated Report recipients or settings changed Info
report.delivered Report sent to notification channel Info
report.delivery.failed Report delivery to channel failed Warning

3. Log Format

All audit logs are structured as JSON for automated processing:

{
  "timestamp": "2026-02-10T14:30:00.000Z",
  "level": "INFO",
  "event": "secret.read",
  "actor": {
    "user_id": "usr_abc123",
    "username": "john.doe",
    "ip_address": "10.0.1.50",
    "user_agent": "Mozilla/5.0..."
  },
  "resource": {
    "type": "secret",
    "id": "sec_xyz789",
    "project": "production-keys"
  },
  "context": {
    "organization_id": "org_def456",
    "request_id": "req_ghi012",
    "session_id": "ses_jkl345"
  },
  "result": "success"
}

Log Fields

Field Description Always Present
timestamp ISO 8601 UTC timestamp
level Log severity (INFO, WARNING, CRITICAL)
event Event type identifier
actor.user_id Unique user identifier
actor.username Human-readable username
actor.ip_address Client IP address
resource.type Resource type (secret, certificate, role, etc.)
resource.id Resource unique identifier
resource.project Project context When applicable
context.request_id Unique request correlation ID
result Operation outcome (success, failure, denied)

4. Log Retention

Environment Default Retention Configurable
Production 365 days
Staging 90 days
Development 30 days

Regulatory Requirements

Configure log retention to meet your organization's regulatory requirements. Some standards (PCI DSS, SOC 2) require minimum 1-year retention.

5. SIEM Integration

MazeVault audit logs can be forwarded to external Security Information and Event Management (SIEM) systems.

Supported Export Methods

Method Description Configuration
JSON Log Files Structured JSON log files on disk Default, always available
Syslog (RFC 5424) Forward to syslog-compatible collectors Configurable destination
Prometheus Metrics Security-relevant metrics at /metrics Built-in
Webhook HTTP POST to external endpoint Configurable URL + auth

Integration Examples

Splunk: Configure a Splunk Universal Forwarder to monitor the MazeVault log directory or use the HTTP Event Collector (HEC) with webhook integration.

Azure Sentinel: Forward JSON logs to Azure Log Analytics workspace via Filebeat or Fluentd.

Elastic SIEM: Ingest JSON logs using Filebeat with the JSON input module.

6. Compliance Reporting

MazeVault provides several reporting capabilities for compliance evidence and operational visibility.

Use the audit log search (POST /audit-logs/search) to query events with advanced filters:

Filter Description
Date range Filter events by start and end date
Users Filter by one or more user IDs
Actions Filter by event action types
Entity types Filter by resource type (secret, certificate, role, etc.)
Severity Filter by severity level (info, warning, error, critical)
Risk score Filter by minimum/maximum risk score
IP address Filter by source IP address
Free-text search Search across event data

Results include aggregations by action and severity level.

Compliance Use Cases

Use audit log search to generate evidence for common compliance scenarios: filter by auth.login.failure for failed access attempts, by entity type secret for secret access history, by actions rbac.* for permission changes, or by entity type certificate for certificate lifecycle events.

Compliance Framework Reports

MazeVault generates structured compliance reports aligned with major regulatory frameworks:

Framework Endpoint Description
PCI-DSS GET /compliance/pci-dss Payment Card Industry Data Security Standard
SOC 2 GET /compliance/soc2 Service Organization Control 2
GDPR GET /compliance/gdpr General Data Protection Regulation
ISO 27001 GET /compliance/iso27001 Information Security Management

Each report includes:

  • Overall compliance score (0–100) and status (compliant / partial / non-compliant)
  • Controls with evidence and findings per control
  • Certificate statistics — active, expired, expiring within 30/90 days, rotation-enabled
  • Rotation statistics — success rate, failed/rolled-back rotations
  • Password policy statistics — configured policies, secrets with rotation
  • Recommendations for improving compliance posture

Weekly Expiry Reports

MazeVault can generate and deliver weekly reports listing certificates and secrets approaching expiration:

  • Preview report data via GET /reports/preview
  • Trigger manual delivery via POST /reports/trigger
  • Configure recipients via GET/PUT /reports/settings
  • Delivery channels: Email (HTML), Slack, Microsoft Teams, Webhook

Certificate Reports

Query certificate inventory with filtering by project, status, and expiry health:

Endpoint Description
GET /reports/certificates Certificate overview with health status, expiry details, key algorithm, auto-renewal settings
POST /reports/certificates/refresh Refresh the underlying data view