Skip to main content

Audit Logging

All authenticated operations that are performed through the REST API are logged in an audit trail log called system:audit-trail-log, while all unauthenticated operations are logged to system:unauthenticated-audit-trail-log.

Event Types

Audit events are differentiated by a kind attribute:

  • API events (kind: api) - REST API operations
  • Certificate events (kind: certificate) - Certificate issuances

API Event Fields

API events contain the following fields (some optional):

  • kind - Always "api" for API operations
  • When it occurred
  • The name of the tenant
  • The user that performed the operation
  • The token that was used to authenticate
  • The site where the operation was performed
  • The host where the operation was performed
  • The client IP address
  • The agent that performed the operation
  • The HTTP method, i.e. GET, POST, DELETE etc
  • The path on which operation was performed
  • The HTTP status, i.e. was it successful or not
  • The HTTP request parameters

Certificate Event Fields

Certificate events contain the following fields:

  • kind - Always "certificate" for certificate issuance
  • When the certificate was issued
  • The user or Approle that caused the certificate to be issued
  • The site where the certificate was issued
  • The issuing CA
  • The CA version
  • Certificate properties (type, host, SANs, serial, expiration)
  • The issued certificate in PEM format

Example: API Event

An API event may look like this:

{
  "kind": "api",
  "occurred-at": "2021-08-24T07:10:03.330Z",
  "tenant": "popcorn-systems",
  "user": "joe@popcorn-systems.com",
  "token": "sbox:hashed:v1:2t+/fHZrxaIuH6HAfjPKxPOyoRurN8VzFqLlV1uTmaU=",
  "accessor": "02d1aab2-916e-4b4b-87b4-0714374ee21b",
  "site": "topdc",
  "host": "topdc-001",
  "client-ip": "192.168.100.1",
  "user-agent": "Python-urllib/3.9",
  "method": "POST",
  "path": "/v1/config/strongbox/vaults/foo/secrets",
  "status": 201,
  "status-info": "Created",
  "request-parameters": {
    "name": "sbox:hashed:v1:IEKFE1i8iL29EAXoaoSYSSIM0YfViihd50YuxepBknE=",
    "data": {
      "baz": "sbox:hashed:v1:mtJLNZmPchVdTnMaqor2yFcFl92BWLR+eJjfLfd5SO4=",
      "bax": "sbox:hashed:v1:lptj6FlLKGBYDguEqynzpXDx8x3wiPb9R+C81lVLkvc="
      },
    "allow-application-access": [
      "sbox:hashed:v1:x72q/KYBPj0JbGLveUqnv/MPmZelIjmCW7gB4gopvhM="
    ]
  }
}

Example: Certificate Event

A certificate event may look like this:

{
  "kind": "certificate",
  "occurred-at": "2025-12-05T12:14:17.456Z",
  "user": "root",
  "site": "topdc",
  "issuing-ca": "udc2-api-inter",
  "ca-version": 1,
  "properties": {
    "certificate-type": "server",
    "host": "udc2-001.udc2.site.test",
    "alt-name": [
      "DNSName:api",
      "DNSName:api.internal",
      "DNSName:api.udc2.site.test",
      "DNSName:udc2-001",
      "DNSName:udc2-001.udc2.site.test",
      "IPAddress:192.168.100.106"
    ],
    "serial": "be:94:21:3f:e0:6f:ce:02:b1:f6:e5:67:35:b0:78:bf:75:07",
    "expires": "2026-04-19T12:14:17.000000Z"
  },
  "certificate": "-----BEGIN CERTIFICATE-----\n..."
}

Note that sensitive values are hashed using an HMAC. These values are identified by a sbox:hashed: prefix. The audit log is a regular Volga topic that is available at the Control Tower.

Inspect audit logs

To view the audit trail log use the volga streaming api.

supctl do volga topics system:audit-trail-log consume --data-only

May return something like this:

{
  "kind": "api",
  "occurred-at": "2021-08-24T08:31:00.491Z",
  "tenant": "popcorn-systems",
  "user": "joe@popcorn-systems.com",
  "token": "sbox:hashed:v1:8QfurDZazoukKdsFAbd1r9DKrY0IpfzAjWM8vwjfsT8=",
  "accessor": "02d1aab2-916e-4b4b-87b4-0714374ee21b",
  "site": "udc2",
  "host": "udc2-001",
  "client-ip": "192.168.100.1",
  "user-agent": "Python-urllib/3.9",
  "method": "POST",
  "path": "/v1/login",
  "status": 200,
  "status-info": "OK",
  "request-parameters": {
    "username": "joe@popcorn-systems.com",
    "password": "sbox:hashed:v1:Lt/c2/SnUqJOMbJsapNJbipsIjS9V/b1IedyrjBeepM="
  }
}

{
  "kind": "api",
  "occurred-at": "2021-08-24T08:31:00.562Z",
  "tenant": "popcorn-systems",
  "user": "joe@popcorn-systems.com",
  "token": "sbox:hashed:v1:8QfurDZazoukKdsFAbd1r9DKrY0IpfzAjWM8vwjfsT8=",
  "accessor": "02d1aab2-916e-4b4b-87b4-0714374ee21b",
  "site": "udc2",
  "host": "udc2-001",
  "client-ip": "192.168.100.1",
  "user-agent": "Python-urllib/3.9",
  "method": "GET",
  "path": "/v1/state/strongbox/vaults/new2/secrets/my-new-new-secret",
  "status": 200,
  "status-info": "OK"
}

Blocking a bad actor

The accessor entry can be used to immediately block access for a bad actor.

supctl do strongbox token revoke accessor "02d1aab2-916e-4b4b-87b4-0714374ee21b"

Search for secrets in audit logs

To search for a known sensitive value, first calculate the HMAC using the strongbox audit hmac endpoint.

supctl do strongbox audit hmac --no-base64-encoded verysecret
hmac: sbox:hashed:v1:Lt/c2/SnUqJOMbJsapNJbipsIjS9V/b1IedyrjBeepM=

Then you can search for this string in the audit trail log.