Documentation > Professional+ > Audit Engine
⭐ PRO+

Audit Engine Module

Advanced audit logging and compliance tracking with cryptographic integrity verification, multiple export formats, and native SIEM integration for enterprise security requirements.

Overview

The Audit Engine provides comprehensive logging of all system activities with tamper-evident integrity verification. Export audit data in multiple formats for compliance reporting, security analysis, and integration with enterprise SIEM platforms.

📝
Collect Logs
Automatic logging of all actions
📈
Analyze & Export
Query, filter, and export data
🔒
Verify Integrity
Cryptographic tamper detection

Export Formats

Export audit logs in multiple industry-standard formats:

📊

CSV

Spreadsheet-compatible export with all audit fields including timestamp, user, action, resource, result, and IP address for easy analysis in Excel or similar tools.

📜

JSON

Structured export with optional detail inclusion for programmatic processing, API integration, and custom analysis workflows.

🛠

CEF (Common Event Format)

ArcSight and compatible SIEM integration with standardized event format for security monitoring and correlation.

🔧

LEEF (Log Event Extended Format)

QRadar and IBM SIEM integration with structured log event format for enterprise security information and event management.

Key Features

Statistics Dashboard

View comprehensive audit statistics including total entries, entries by action type, entries by result status, and date range queries for trend analysis and compliance reporting.

Integrity Verification

SHA-256 cryptographic hash verification to detect tampering or unauthorized modifications to audit logs. Each entry is hashed with the previous entry's hash to create a verifiable chain.

Retention Policies

Configurable retention policies with automated archive, delete, or compress actions based on age thresholds to manage storage while maintaining compliance requirements.

SIEM Integration

Native support for enterprise SIEM platforms through CEF and LEEF export formats. Stream audit events directly to ArcSight, QRadar, Splunk, and other security monitoring systems.

Date Range Filtering

Filter audit logs by start and end date to generate targeted compliance reports, investigate specific time periods, or analyze activity patterns during incidents.

Logged Events

The Audit Engine captures all security-relevant events:

  • User authentication (login, logout, failed attempts)
  • Authorization decisions (access granted/denied)
  • Configuration changes (settings, policies, rules)
  • Host operations (add, modify, delete, reboot)
  • User and group management
  • Secret access and modifications
  • License activation and module changes
  • API calls with request details

API Access

The Audit Engine is fully accessible via the REST API:

# Statistics
GET    /api/audit/statistics              # Dashboard statistics

# Export
GET    /api/audit/export?format=csv       # Export as CSV
GET    /api/audit/export?format=json      # Export as JSON
GET    /api/audit/export?format=cef       # Export as CEF
GET    /api/audit/export?format=leef      # Export as LEEF

# Integrity Verification
POST   /api/audit/verify-integrity        # Verify log integrity

# Query Parameters
# ?start_date=YYYY-MM-DD    Filter by start date
# ?end_date=YYYY-MM-DD      Filter by end date
# ?action=login             Filter by action type
# ?user=username            Filter by username
# ?result=success           Filter by result (success/failure)

Integrity Verification

The Audit Engine uses cryptographic hashing to ensure logs cannot be tampered with:

  1. Each audit entry is hashed using SHA-256
  2. The hash includes the previous entry's hash, creating a chain
  3. The hash is stored with the entry in the database
  4. Verification recalculates all hashes and compares to stored values
  5. Any modification breaks the chain and is immediately detected
# Verify Integrity via API
curl -X POST https://sysmanage.example.com/api/audit/verify-integrity \
  -H "Authorization: Bearer YOUR_TOKEN"

# Response
{
  "status": "verified",
  "total_entries": 15420,
  "verified_entries": 15420,
  "tampered_entries": 0,
  "verification_time": "2.34s"
}

Export Examples

CSV Export

timestamp,user,action,resource,result,ip_address,details
2026-02-12 10:15:23,admin,login,/api/auth/login,success,192.168.1.100,
2026-02-12 10:16:45,admin,host_create,host:web-01,success,192.168.1.100,"Created new host"
2026-02-12 10:17:12,admin,secret_view,secret:db-password,success,192.168.1.100,

JSON Export

[
  {
    "timestamp": "2026-02-12T10:15:23Z",
    "user": "admin",
    "action": "login",
    "resource": "/api/auth/login",
    "result": "success",
    "ip_address": "192.168.1.100",
    "user_agent": "Mozilla/5.0...",
    "details": {}
  }
]

CEF Export

CEF:0|SysManage|Audit|1.0|login|User Login|5|src=192.168.1.100 suser=admin outcome=success rt=Feb 12 2026 10:15:23

LEEF Export

LEEF:1.0|SysManage|Audit|1.0|login|devTime=Feb 12 2026 10:15:23 GMT src=192.168.1.100 usrName=admin eventResult=success

Retention Policies

Configure automated retention policies to manage audit log storage. Retention policies define how long audit entries are kept and what happens when they exceed the retention period. You can create multiple policies targeting different entity types or action types to meet varied compliance requirements.

Policy Configuration

Each retention policy supports the following configuration options:

  • retention_days — Number of days to retain entries (1–3650). Entries older than this threshold are processed by the policy action.
  • action — What to do with expired entries: delete permanently removes them, or archive moves them to the archive table for long-term storage.
  • entity_types (optional) — Array of entity types to target (e.g., ["host", "user", "secret"]). If omitted, the policy applies to all entity types.
  • action_types (optional) — Array of action types to target (e.g., ["login", "logout", "config_change"]). If omitted, the policy applies to all action types.
# Archive all entries older than 1 year
{
  "name": "Annual Archive Policy",
  "retention_days": 365,
  "action": "archive",
  "enabled": true
}

# Delete login events older than 90 days
{
  "name": "Login Cleanup",
  "retention_days": 90,
  "action": "delete",
  "action_types": ["login", "logout"],
  "enabled": true
}

# Archive host operation logs after 180 days
{
  "name": "Host Ops Archive",
  "retention_days": 180,
  "action": "archive",
  "entity_types": ["host"],
  "action_types": ["host_create", "host_modify", "host_delete"],
  "enabled": true
}

Common compliance requirements:

  • HIPAA: 6 years minimum retention
  • SOX: 7 years minimum retention
  • GDPR: Varies by jurisdiction, typically 1-3 years
  • PCI-DSS: 1 year minimum, 3 months online

Audit Log Archival

When a retention policy uses the archive action, expired audit entries are moved from the main audit log table to a dedicated archive table. Archived entries retain all original fields and remain queryable through the archive API, but are separated from the active audit log to improve query performance.

How Archival Works

  1. The retention policy evaluates entries older than the configured retention_days threshold
  2. Matching entries are copied to the audit_archive table with all original fields preserved
  3. Archive metadata is added including the archive timestamp and source policy ID
  4. Original entries are removed from the active audit log table
  5. Integrity hashes are preserved so archived entries can still be verified

Querying Archived Entries

Archived entries can be queried using the same filter parameters available for the active audit log. Use date ranges, action types, users, and entity types to locate specific archived records.

# List archived entries with filters
curl -H "Authorization: Bearer $TOKEN" \
  "https://sysmanage.example.com/api/v1/audit/archive?start_date=2025-01-01&end_date=2025-06-30&action=login"

# Response
{
  "entries": [
    {
      "id": "audit_12345",
      "timestamp": "2025-03-15T08:30:00Z",
      "user": "admin",
      "action": "login",
      "resource": "/api/auth/login",
      "result": "success",
      "ip_address": "192.168.1.100",
      "archived_at": "2026-01-01T00:00:00Z",
      "policy_id": "pol_001"
    }
  ],
  "total": 1,
  "page": 1,
  "per_page": 50
}

Archive Statistics

View summary statistics about your archive including total archived entries, storage breakdown by entity type and action type, and date range coverage.

# Get archive statistics
curl -H "Authorization: Bearer $TOKEN" \
  https://sysmanage.example.com/api/v1/audit/archive/statistics

# Response
{
  "total_entries": 45230,
  "oldest_entry": "2024-06-01T00:00:00Z",
  "newest_entry": "2025-12-31T23:59:59Z",
  "by_action_type": {
    "login": 18500,
    "logout": 12300,
    "config_change": 5400,
    "host_create": 3200,
    "secret_view": 5830
  },
  "by_entity_type": {
    "user": 30800,
    "host": 8600,
    "secret": 5830
  },
  "policies_applied": 3
}

API Access for Retention & Archive

Manage retention policies and query archived audit entries programmatically via the REST API:

# Retention Policy Management
POST   /api/v1/audit/retention-policies              # Create a retention policy
GET    /api/v1/audit/retention-policies              # List all retention policies
GET    /api/v1/audit/retention-policies/{id}         # Get a specific policy
PUT    /api/v1/audit/retention-policies/{id}         # Update a policy
DELETE /api/v1/audit/retention-policies/{id}         # Delete a policy
POST   /api/v1/audit/retention-policies/{id}/run     # Manually trigger a policy

# Archive Access
GET    /api/v1/audit/archive                         # List archived entries
GET    /api/v1/audit/archive/statistics              # Archive statistics

Create a Retention Policy

# Create a new retention policy
curl -X POST https://sysmanage.example.com/api/v1/audit/retention-policies \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Annual Archive Policy",
    "retention_days": 365,
    "action": "archive",
    "entity_types": ["host", "user"],
    "action_types": ["login", "logout", "host_create", "host_delete"],
    "enabled": true
  }'

# Response
{
  "id": "pol_001",
  "name": "Annual Archive Policy",
  "retention_days": 365,
  "action": "archive",
  "entity_types": ["host", "user"],
  "action_types": ["login", "logout", "host_create", "host_delete"],
  "enabled": true,
  "created_at": "2026-02-12T10:00:00Z",
  "last_run_at": null,
  "entries_processed": 0
}

List All Retention Policies

# List all retention policies
curl -H "Authorization: Bearer $TOKEN" \
  https://sysmanage.example.com/api/v1/audit/retention-policies

# Response
{
  "policies": [
    {
      "id": "pol_001",
      "name": "Annual Archive Policy",
      "retention_days": 365,
      "action": "archive",
      "enabled": true,
      "last_run_at": "2026-02-11T00:00:00Z",
      "entries_processed": 1520
    },
    {
      "id": "pol_002",
      "name": "Login Cleanup",
      "retention_days": 90,
      "action": "delete",
      "enabled": true,
      "last_run_at": "2026-02-11T00:00:00Z",
      "entries_processed": 340
    }
  ],
  "total": 2
}

Get a Specific Policy

# Get retention policy details
curl -H "Authorization: Bearer $TOKEN" \
  https://sysmanage.example.com/api/v1/audit/retention-policies/pol_001

Update a Policy

# Update retention days and add entity type filter
curl -X PUT https://sysmanage.example.com/api/v1/audit/retention-policies/pol_001 \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "retention_days": 180,
    "entity_types": ["host", "user", "secret"]
  }'

Delete a Policy

# Delete a retention policy
curl -X DELETE https://sysmanage.example.com/api/v1/audit/retention-policies/pol_001 \
  -H "Authorization: Bearer $TOKEN"

# Response
{
  "message": "Retention policy deleted successfully"
}

Manually Trigger a Policy

# Manually trigger a retention policy
curl -X POST https://sysmanage.example.com/api/v1/audit/retention-policies/pol_001/run \
  -H "Authorization: Bearer $TOKEN"

# Response
{
  "message": "Retention policy executed successfully",
  "policy_id": "pol_001",
  "action": "archive",
  "entries_processed": 1520,
  "executed_at": "2026-02-12T14:30:00Z"
}

List Archived Entries

# List archived audit entries with optional filters
curl -H "Authorization: Bearer $TOKEN" \
  "https://sysmanage.example.com/api/v1/audit/archive?start_date=2025-01-01&end_date=2025-12-31&action=login&page=1&per_page=50"

# Query Parameters:
# ?start_date=YYYY-MM-DD    Filter by start date
# ?end_date=YYYY-MM-DD      Filter by end date
# ?action=login              Filter by action type
# ?user=username             Filter by username
# ?entity_type=host          Filter by entity type
# ?page=1                    Page number (default: 1)
# ?per_page=50               Results per page (default: 50, max: 200)

Get Archive Statistics

# Get archive statistics
curl -H "Authorization: Bearer $TOKEN" \
  https://sysmanage.example.com/api/v1/audit/archive/statistics

SIEM Integration

Configure real-time streaming to enterprise SIEM platforms:

ArcSight Integration

{
  "enabled": true,
  "format": "cef",
  "destination": "syslog://arcsight.example.com:514",
  "protocol": "tcp",
  "facility": "local0",
  "severity": "info"
}

QRadar Integration

{
  "enabled": true,
  "format": "leef",
  "destination": "syslog://qradar.example.com:514",
  "protocol": "udp",
  "facility": "local1",
  "severity": "info"
}

Splunk Integration

{
  "enabled": true,
  "format": "json",
  "destination": "https://splunk.example.com:8088/services/collector",
  "method": "POST",
  "headers": {
    "Authorization": "Splunk YOUR_HEC_TOKEN"
  }
}

Requirements

  • Professional or Enterprise license with audit_engine module
  • Database storage for audit entries with adequate disk space
  • Network connectivity for license validation and SIEM integration
  • File system permissions for archive/export directories