Operational monitoring, export, access logging, SIEM
Part of the Universal Audit Log Specification. Operational monitoring (§14), export and reporting flows (§15), the access-logging extension that records "who read what" (§16), and the SIEM integration via the
audit.entry.createdoutbox event (§17).
14. Operational Monitoring
14.1 Required Metrics
The audit subsystem SHALL expose the following metrics:
| Metric | Type | Alert Threshold |
|---|---|---|
| Audit write latency (p50, p95, p99) | Histogram | p99 > 10ms |
| Table size (heap + TOAST + indexes) | Gauge, daily | Configurable per environment |
| Rows per minute by module | Counter | Anomaly detection (>3 sigma deviation) |
| Immutability trigger rejection count | Counter | Any non-zero value (immediate alert) |
| Chain integrity status | Gauge (per tenant) | Any failure (immediate alert) |
| VACUUM age / transaction ID wraparound distance | Gauge | < 50M transactions remaining |
| Partition count and next auto-create date | Gauge | < 2 future partitions remaining |
14.2 SLOs
| SLO | Target |
|---|---|
| Audit write latency p99 | < 10ms |
| Audit availability (writes succeed) | 99.99% |
| Chain integrity verification | 100% of tenants verified nightly |
Metrics SHALL be exposed via the platform metrics interface (Prometheus-compatible) with Grafana dashboard templates.
15. Export and Reporting
15.1 Streaming Export
A streaming export endpoint SHALL be provided for compliance auditors, not subject to the 200-row interactive API cap. Formats: CSV, JSON Lines. Filters: date range, module, actor, resource type, organisation, outcome. Requires audit:export permission. Uses chunked transfer encoding. Rate-limited to one concurrent export per tenant.
15.2 Export Auditing
Export events are themselves audited with action: 'EXPORT', resourceType: 'audit.audit_entries', and context containing the format, filters, and row count.
16. Access Logging Extension
Mutation audit and read/access audit SHALL be separated.
16.1 Phase 1
Phase 1 covers state-changing operations only plus audit-access logging (Section 13.3).
16.2 Phase 2
Phase 2 MAY add a separate access-log path for:
- document access
- downloads
- print events
- classified record views
- external share access
If implemented, access logs SHOULD use a separate table:
audit.access_log_entries
This follows the useful Open Mercato split between action logs and access logs, but without adopting their full application structure.
17. SIEM Integration
17.1 Purpose
Security-classified audit entries SHALL be forwardable to an external Security Information and Event Management (SIEM) system for centralised security monitoring.
17.2 Integration Path
Forward via the existing outbox mechanism: auditCritical() already writes to the transactional outbox. A SIEM adapter consumes outbox events and forwards them in CEF or structured JSON as a background job.
17.3 Configuration
SIEM forwarding is configurable per-tenant (endpoint URL, format, authentication, classification filter). Some tenants may require real-time forwarding; others may not use SIEM at all.