Audit Log Architecture
The audit system captures events at two primary levels: Administrative/Management Actions and API Access.1. Platform Audit Logs
Platform audit logs capture “who did what and when” regarding the management of resources. These logs are generated whenever a user or API key performs an action that modifies the state of the platform.What is Logged?
Each audit log entry contains a high-fidelity record of the event:| Field | Description |
|---|---|
| Timestamp | The exact UTC time the action occurred. |
| Identity | The User ID, Email, and/or API Key ID responsible for the action. |
| Action | The specific operation performed (e.g., create, update, delete, execute, login). |
| Resource | The type and unique ID of the resource (e.g., workflow, agent, knowledge_base, user_group). |
| Context | The Tenant and Workspace identifiers where the action took place. |
| Payload | A JSON representation of the request body and metadata associated with the change. |
| Route & Method | The specific API route and HTTP method used. |
Who is Logged?
- Platform Users: Actions performed via the web interface.
- Service Accounts: Actions performed by automated systems using API keys.
- System Administrators: Global configuration changes and tenant-level management.
2. API Call Logs
In addition to state-changing actions, Noxus maintains detailed logs of every incoming API request to ensure complete visibility into platform usage.Captured Data Points
- Performance: Exact duration of the request in milliseconds and the resulting HTTP response code.
- Attribution: Mapping of the call to a specific
tenant_id,user_id, andapi_key_id. - Routing: The specific resource endpoint accessed.
- Timing: Precise start and end times for every call.
Accountability & Traceability
Noxus uses Correlation IDs to link related events across different services. This allows security teams to trace a single user action from the initial frontend request through the backend orchestration and down to the specific worker pool execution.Log Integrity
- Persistence: Audit logs are stored in a dedicated, indexed database layer (
audit_logsandapi_call_logs) separate from transient application state. - Redaction: Sensitive information such as passwords or raw secret values are automatically redacted before being committed to the logs.
- Retention: Organizations can define custom retention policies to meet legal and compliance obligations.
SIEM & External Integration
For centralized security monitoring, Noxus supports exporting audit and access logs to external SIEM (Security Information and Event Management) platforms.- Supported Backends: Elasticsearch, OpenSearch, Splunk, Datadog, and AWS CloudWatch.
- Format: Logs are emitted in structured JSON format, making them ready for immediate ingestion and dashboarding.
- Alerting: External systems can be configured to trigger alerts based on specific audit patterns, such as multiple failed login attempts or unauthorized resource access.
Security Architecture
See how auditability fits into our broader defense-in-depth strategy.
Monitoring
Learn how to pair audit logs with real-time performance metrics.