Audit Logging and Compliance

<h3 id="overview" class="position-relative d-flex align-items-center group"> Overview <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="overview" aria-haspopup="dialog" aria-label="Share link: Overview"> Share link </button> </h3><div id="headingShareModal" class="heading-share-modal" role="dialog" aria-modal="true" aria-labelledby="headingShareTitle" hidden> <div class="hsm-dialog" role="document"> <div class="hsm-header"> <h2 id="headingShareTitle" class="h6 mb-0 fw-bold">Share this section</h2> <button type="button" class="hsm-close" aria-label="Close"> </button> </div> <div class="hsm-body"> <label for="headingShareInput" class="form-label small text-muted mb-1 text-uppercase fw-bold" style="font-size: 0.7rem; letter-spacing: 0.5px;">Permalink</label> <div class="input-group mb-4 hsm-url-group"> <input id="headingShareInput" type="text" class="form-control font-monospace" readonly aria-readonly="true" style="font-size: 0.85rem;" /> <button class="btn btn-primary hsm-copy" type="button" aria-label="Copy" title="Copy"> </button> </div> <div class="small fw-bold mb-2 text-muted text-uppercase" style="font-size: 0.7rem; letter-spacing: 0.5px;">Share via</div> <div class="hsm-share-grid"> <a id="share-twitter" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer"> Twitter </a> <a id="share-linkedin" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer"> LinkedIn </a> <a id="share-facebook" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer"> Facebook </a> </div> </div> </div> </div> <style> .heading-share-modal { position: fixed; inset: 0; display: flex; justify-content: center; align-items: center; background: rgba(0, 0, 0, 0.6); z-index: 1050; padding: 1rem; backdrop-filter: blur(4px); -webkit-backdrop-filter: blur(4px); } .heading-share-modal[hidden] { display: none !important; } .hsm-dialog { max-width: 420px; width: 100%; background: var(--bs-body-bg, #fff); color: var(--bs-body-color, #212529); border: 1px solid var(--bs-border-color, rgba(0,0,0,0.1)); border-radius: 1rem; box-shadow: 0 25px 50px -12px rgba(0, 0, 0, 0.25); overflow: hidden; animation: hsm-fade-in 0.2s ease-out; } @keyframes hsm-fade-in { from { opacity: 0; transform: scale(0.95); } to { opacity: 1; transform: scale(1); } } [data-bs-theme="dark"] .hsm-dialog { background: #1e293b; border-color: rgba(255,255,255,0.1); color: #f8f9fa; } .hsm-header { display: flex; justify-content: space-between; align-items: center; padding: 1rem 1.5rem; border-bottom: 1px solid var(--bs-border-color, rgba(0,0,0,0.1)); background: rgba(0,0,0,0.02); } [data-bs-theme="dark"] .hsm-header { background: rgba(255,255,255,0.02); border-color: rgba(255,255,255,0.1); } .hsm-close { background: transparent; border: none; color: inherit; opacity: 0.5; padding: 0.25rem 0.5rem; border-radius: 0.25rem; font-size: 1.2rem; line-height: 1; transition: opacity 0.2s; } .hsm-close:hover { opacity: 1; } .hsm-body { padding: 1.5rem; } .hsm-url-group { display: flex !important; align-items: stretch; } .hsm-url-group .form-control { flex: 1; min-width: 0; margin: 0; background: var(--bs-secondary-bg, #f8f9fa); border-color: var(--bs-border-color, #dee2e6); border-top-right-radius: 0; border-bottom-right-radius: 0; height: 42px; } .hsm-url-group .btn { flex: 0 0 auto; margin: 0; margin-left: -1px; border-top-left-radius: 0; border-bottom-left-radius: 0; height: 42px; display: flex; align-items: center; justify-content: center; padding: 0 1.25rem; z-index: 2; } [data-bs-theme="dark"] .hsm-url-group .form-control { background: #0f172a; border-color: #334155; color: #e2e8f0; } .hsm-share-grid { display: flex; flex-direction: column; gap: 0.5rem; } .hsm-share-grid .btn { display: flex; align-items: center; justify-content: center; font-size: 0.9rem; padding: 0.6rem; border-color: var(--bs-border-color); width: 100%; } [data-bs-theme="dark"] .hsm-share-grid .btn { color: #e2e8f0; border-color: #475569; } [data-bs-theme="dark"] .hsm-share-grid .btn:hover { background: #334155; border-color: #cbd5e1; } </style> <script> (function(){ const modal = document.getElementById('headingShareModal'); if(!modal) return; const input = modal.querySelector('#headingShareInput'); const copyBtn = modal.querySelector('.hsm-copy'); const twitter = modal.querySelector('#share-twitter'); const linkedin = modal.querySelector('#share-linkedin'); const facebook = modal.querySelector('#share-facebook'); const closeBtn = modal.querySelector('.hsm-close'); let lastFocus=null; let trapBound=false; function buildUrl(id){ return window.location.origin + window.location.pathname + '#' + id; } function isOpen(){ return !modal.hasAttribute('hidden'); } function hydrate(id){ const url=buildUrl(id); input.value=url; const enc=encodeURIComponent(url); const text=encodeURIComponent(document.title); if(twitter) twitter.href=`https://twitter.com/intent/tweet?url=${enc}&text=${text}`; if(linkedin) linkedin.href=`https://www.linkedin.com/sharing/share-offsite/?url=${enc}`; if(facebook) facebook.href=`https://www.facebook.com/sharer/sharer.php?u=${enc}`; } function openModal(id){ lastFocus=document.activeElement; hydrate(id); if(!isOpen()){ modal.removeAttribute('hidden'); } requestAnimationFrame(()=>{ input.focus(); }); trapFocus(); } function closeModal(){ if(!isOpen()) return; modal.setAttribute('hidden',''); if(lastFocus && typeof lastFocus.focus==='function') lastFocus.focus(); } function copyCurrent(){ try{ navigator.clipboard.writeText(input.value).then(()=>feedback(true),()=>fallback()); } catch(e){ fallback(); } } function fallback(){ input.select(); try{ document.execCommand('copy'); feedback(true);}catch(e){ feedback(false);} } function feedback(ok){ if(!copyBtn) return; const icon=copyBtn.querySelector('i'); if(!icon) return; const prev=copyBtn.getAttribute('data-prev')||icon.className; if(!copyBtn.getAttribute('data-prev')) copyBtn.setAttribute('data-prev',prev); icon.className= ok ? 'fa-duotone fa-clipboard-check':'fa-duotone fa-circle-exclamation'; setTimeout(()=>{ icon.className=prev; },1800); } function handleShareClick(e){ e.preventDefault(); const btn=e.currentTarget; const id=btn.getAttribute('data-share-target'); if(id) openModal(id); } function bindShareButtons(){ document.querySelectorAll('.h-share').forEach(btn=>{ if(!btn.dataset.hShareBound){ btn.addEventListener('click', handleShareClick); btn.dataset.hShareBound='1'; } }); } bindShareButtons(); if(document.readyState==='loading'){ document.addEventListener('DOMContentLoaded', bindShareButtons); } else { requestAnimationFrame(bindShareButtons); } document.addEventListener('click', function(e){ const shareBtn=e.target.closest && e.target.closest('.h-share'); if(shareBtn && !shareBtn.dataset.hShareBound){ handleShareClick.call(shareBtn, e); } }, true); document.addEventListener('click', e=>{ if(e.target===modal) closeModal(); if(e.target.closest && e.target.closest('.hsm-close')){ e.preventDefault(); closeModal(); } if(copyBtn && (e.target===copyBtn || (e.target.closest && e.target.closest('.hsm-copy')))) { e.preventDefault(); copyCurrent(); } }); document.addEventListener('keydown', e=>{ if(e.key==='Escape' && isOpen()) closeModal(); }); function trapFocus(){ if(trapBound) return; trapBound=true; modal.addEventListener('keydown', f=>{ if(f.key==='Tab' && isOpen()){ const focusable=[...modal.querySelectorAll('a[href],button,input,textarea,select,[tabindex]:not([tabindex="-1"])')].filter(el=>!el.hasAttribute('disabled')); if(!focusable.length) return; const first=focusable[0]; const last=focusable[focusable.length-1]; if(f.shiftKey && document.activeElement===first){ f.preventDefault(); last.focus(); } else if(!f.shiftKey && document.activeElement===last){ f.preventDefault(); first.focus(); } } }); } if(closeBtn) closeBtn.addEventListener('click', e=>{ e.preventDefault(); closeModal(); }); })(); </script>Geode provides a comprehensive, security-first audit logging and tracing subsystem designed for enterprise compliance and operational security. The system instruments authentication actions and database operations, emitting structured logs with tamper-evident guarantees through cryptographic hash chains and digital signatures. <h4 id="key-features" class="position-relative d-flex align-items-center group"> Key Features <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="key-features" aria-haspopup="dialog" aria-label="Share link: Key Features"> Share link </button> </h4>Security-First Design: <ul> <li>Default-deny filtration with built-in sensitive data redaction</li> <li>Tamper-evident logging with hash chains and Ed25519 signatures</li> <li>Fail-closed security: drops events if redaction cannot guarantee safety</li> <li>No SQL exposure: database adapter never logs query text or parameters</li> </ul> Enterprise Integration: <ul> <li>RFC 5424 Syslog with UDP/TCP transport</li> <li>CEF:0 (Common Event Format) payloads for SIEM compatibility</li> <li>Structured JSON-Lines format with deterministic field ordering</li> <li>File rotation with configurable retention and backup policies</li> </ul> Operational Excellence: <ul> <li>Non-blocking operations with bounded queues</li> <li>W3C distributed tracing support (trace_id and span_id propagation)</li> <li>Automatic field detection and PII/PCI redaction</li> <li><500μs append latency (excluding fsync)</li> </ul> <h3 id="architecture" class="position-relative d-flex align-items-center group"> Architecture <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="architecture" aria-haspopup="dialog" aria-label="Share link: Architecture"> Share link </button> </h3> <h4 id="components" class="position-relative d-flex align-items-center group"> Components <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="components" aria-haspopup="dialog" aria-label="Share link: Components"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback">AuditLogger ├── EventBuffer - Bounded queue for non-blocking writes ├── FileRotator - Size/time-based rotation with backups ├── HashChain - SHA-256/BLAKE3 chain with prev_hash linking ├── SignatureManager - Ed25519 signing for Merkle digest records ├── RedactionEngine - Multi-layer sensitive data protection └── SyslogTransport - RFC 5424 UDP/TCP syslog integration </code></pre></div> <h4 id="data-flow" class="position-relative d-flex align-items-center group"> Data Flow <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="data-flow" aria-haspopup="dialog" aria-label="Share link: Data Flow"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-plaintext" data-lang="plaintext">1. Application Event → AuditLogger.audit() 2. Redaction Engine → Strip PII/PCI, apply default-deny filters 3. Event Buffer → Non-blocking enqueue (drop on overflow) 4. Hash Chain → Compute event_hash, link with prev_hash 5. File Append → Write canonical JSON line (0600 permissions) 6. Signature Manager → Every 100 events, compute Merkle digest + sign 7. Syslog Transport → Send to remote syslog server (parallel) 8. File Rotation → Rotate on size threshold, preserve chain continuity </code></pre></div> <h3 id="hash-chain--verification" class="position-relative d-flex align-items-center group"> Hash Chain &amp; Verification <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="hash-chain--verification" aria-haspopup="dialog" aria-label="Share link: Hash Chain &amp; Verification"> Share link </button> </h3> <h4 id="tamper-evident-design" class="position-relative d-flex align-items-center group"> Tamper-Evident Design <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="tamper-evident-design" aria-haspopup="dialog" aria-label="Share link: Tamper-Evident Design"> Share link </button> </h4>Geode’s audit stream is a canonical JSON Lines (JSONL) append-only log where each record carries: <ul> <li>seq_no: Monotonically increasing sequence number</li> <li>event_hash: SHA-256 hash of current event (excluding prev_hash)</li> <li>prev_hash: Hash of previous event’s event_hash</li> <li>signature: Ed25519 signature on Merkle digest (every 100 events)</li> </ul> This creates a cryptographic chain: modifying any past event breaks the chain and invalidates all subsequent signatures. <h4 id="record-structure" class="position-relative d-flex align-items-center group"> Record Structure <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="record-structure" aria-haspopup="dialog" aria-label="Share link: Record Structure"> Share link </button> </h4>Canonical Key Order: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json">[ "stream", "seq_no", "timestamp", "event_type", "actor", "origin", "resource", "action", "result", "details", "prev_hash", "event_hash", "signature" ] </code></pre></div>Example Event: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json">{ "stream": "geode-audit", "seq_no": 42, "timestamp": "2026-01-24T10:30:15.123Z", "event_type": "auth.login", "actor": "[email protected]", "origin": "192.168.1.100", "resource": "database:geode", "action": "authenticate", "result": "success", "details": {"role": "admin", "session_id": "ses-abc123"}, "prev_hash": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "event_hash": "a3c7f1d2e5b4a8c9f0d1e2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3", "signature": null } </code></pre></div>Digest Record (every 100 events): <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json">{ "stream": "geode-audit", "seq_no": 100, "timestamp": "2026-01-24T10:35:00.000Z", "event_type": "system.digest", "merkle_root": "b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5", "signature": "d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9..." } </code></pre></div> <h4 id="hash-algorithm" class="position-relative d-flex align-items-center group"> Hash Algorithm <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="hash-algorithm" aria-haspopup="dialog" aria-label="Share link: Hash Algorithm"> Share link </button> </h4>Default: SHA-256 (widely supported, FIPS 140-2 compliant) Alternative: BLAKE3 (faster, modern cryptographic standard) Chain Logic: <ol> <li>First event: <code>prev_hash = 0x00000000...</code> (32 zero bytes)</li> <li>Subsequent events: <code>prev_hash = hash(previous_event.event_hash)</code></li> <li>Digest events: Compute Merkle root over last N event_hashes</li> <li>Sign Merkle root with Ed25519 private key</li> </ol> <h4 id="signing-configuration" class="position-relative d-flex align-items-center group"> Signing Configuration <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="signing-configuration" aria-haspopup="dialog" aria-label="Share link: Signing Configuration"> Share link </button> </h4>Production Requirements: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Generate Ed25519 key pair openssl genpkey -algorithm ED25519 -out audit_private.pem openssl pkey -in audit_private.pem -pubout -out audit_public.pem # Convert to hex format for environment variables GEODE_AUDIT_PUB=$(openssl pkey -in audit_public.pem -pubin -text | grep -A4 pub | tail -n +2 | tr -d ':' | tr -d '\n') GEODE_AUDIT_SEC=$(openssl pkey -in audit_private.pem -text | grep -A4 priv | tail -n +2 | tr -d ':' | tr -d '\n') export GEODE_AUDIT_PUB export GEODE_AUDIT_SEC </code></pre></div>Startup Validation: <ul> <li>If keys missing in non-test builds: Exit with <code>CONFIG_ERROR SIGNING_KEYS_MISSING</code> (exit code 78)</li> <li>Test builds: Derive deterministic key from fixed seed (for reproducible tests)</li> </ul> Key Rotation: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json">{ "event_type": "system.key_rotation", "details": { "old_key_fingerprint": "sha256:abc123...", "new_key_fingerprint": "sha256:def456...", "rotation_timestamp": "2026-01-24T12:00:00.000Z" } } </code></pre></div> <h3 id="configuration" class="position-relative d-flex align-items-center group"> Configuration <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="configuration" aria-haspopup="dialog" aria-label="Share link: Configuration"> Share link </button> </h3> <h4 id="json-configuration-schema" class="position-relative d-flex align-items-center group"> JSON Configuration Schema <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="json-configuration-schema" aria-haspopup="dialog" aria-label="Share link: JSON Configuration Schema"> Share link </button> </h4>Location: <code>config/logging.json</code> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json">{ "version": 1, "service": { "name": "geode-server", "host": "prod-db-01", "pid": 1234 }, "identity": { "cef": { "vendor": "DEVNW", "product": "GEODE", "version": "0.2.18" } }, "sinks": { "file": { "enabled": true, "path": "/var/log/geode/audit.jsonl", "max_bytes": 104857600, "backup_count": 10 }, "syslog": { "enabled": true, "protocol": "udp", "host": "syslog.example.com", "port": 514, "rfc5424": { "facility": "local4" } } }, "filters": { "default_deny": true, "allow_fields": [ "actor_id", "subject_id", "request_id", "session_id", "source_ip", "trace_id", "span_id", "category", "action", "outcome", "severity", "db.operation", "db.table", "db.rowCount", "duration_ms" ], "deny_key_patterns": ["password", "secret", "token", "key"], "pii_mode": "mask", "pci_mode": true }, "hash_chain": { "algorithm": "sha256", "digest_interval": 100 }, "signing": { "enabled": true, "algorithm": "ed25519" } } </code></pre></div> <h4 id="configuration-options" class="position-relative d-flex align-items-center group"> Configuration Options <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="configuration-options" aria-haspopup="dialog" aria-label="Share link: Configuration Options"> Share link </button> </h4>Service Identity: <ul> <li><code>name</code>: Service name for audit trail correlation</li> <li><code>host</code>: Hostname for distributed deployment identification</li> <li><code>pid</code>: Process ID (auto-populated at runtime)</li> </ul> File Sink: <ul> <li><code>path</code>: Audit log file path (created with 0600 permissions)</li> <li><code>max_bytes</code>: Rotation threshold (default: 100 MB)</li> <li><code>backup_count</code>: Number of rotated files to keep (default: 10)</li> </ul> Syslog Sink: <ul> <li><code>protocol</code>: “udp” or “tcp”</li> <li><code>host</code>: Syslog server hostname</li> <li><code>port</code>: Syslog server port (514 for UDP, 6514 for TLS)</li> <li><code>facility</code>: RFC 5424 facility (default: “local4”)</li> </ul> Filters: <ul> <li><code>default_deny</code>: If true, only <code>allow_fields</code> are logged</li> <li><code>allow_fields</code>: Explicit allowlist of field names</li> <li><code>deny_key_patterns</code>: Regex patterns for sensitive keys</li> <li><code>pii_mode</code>: “mask”, “redact”, or “allow”</li> <li><code>pci_mode</code>: Enable PCI-DSS compliant credit card redaction</li> </ul> Hash Chain: <ul> <li><code>algorithm</code>: “sha256” or “blake3”</li> <li><code>digest_interval</code>: Events between Merkle digest records</li> </ul> Signing: <ul> <li><code>enabled</code>: Generate Ed25519 signatures (default: true)</li> <li><code>algorithm</code>: “ed25519” (currently only supported algorithm)</li> </ul> <h3 id="event-types" class="position-relative d-flex align-items-center group"> Event Types <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="event-types" aria-haspopup="dialog" aria-label="Share link: Event Types"> Share link </button> </h3> <h4 id="authentication-events" class="position-relative d-flex align-items-center group"> Authentication Events <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="authentication-events" aria-haspopup="dialog" aria-label="Share link: Authentication Events"> Share link </button> </h4>Successful Login: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json">{ "event_type": "auth.login", "actor": "[email protected]", "action": "authenticate", "result": "success", "details": { "role": "admin", "session_id": "ses-abc123", "auth_method": "password" } } </code></pre></div>Failed Login: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json">{ "event_type": "auth.login", "actor": "[email protected]", "action": "authenticate", "result": "failure", "details": { "reason": "invalid_credentials", "attempts": 3 } } </code></pre></div>Logout: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json">{ "event_type": "auth.logout", "actor": "[email protected]", "action": "terminate_session", "result": "success", "details": { "session_id": "ses-abc123", "session_duration_ms": 3600000 } } </code></pre></div> <h4 id="database-operations" class="position-relative d-flex align-items-center group"> Database Operations <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="database-operations" aria-haspopup="dialog" aria-label="Share link: Database Operations"> Share link </button> </h4>Query Execution: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json">{ "event_type": "db.query", "actor": "[email protected]", "resource": "graph:main", "action": "execute", "result": "success", "details": { "db.operation": "MATCH", "db.rowCount": 42, "duration_ms": 15, "trace_id": "trace-xyz789" } } </code></pre></div>Schema Modification: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json">{ "event_type": "db.schema_change", "actor": "[email protected]", "resource": "index:user_email", "action": "create", "result": "success", "details": { "index_type": "btree", "columns": ["email"] } } </code></pre></div>Access Denied: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json">{ "event_type": "db.access_denied", "actor": "[email protected]", "resource": "node:Person", "action": "create", "result": "failure", "details": { "reason": "insufficient_permissions", "required_role": "ReadWrite", "actual_role": "ReadOnly" } } </code></pre></div> <h4 id="system-events" class="position-relative d-flex align-items-center group"> System Events <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="system-events" aria-haspopup="dialog" aria-label="Share link: System Events"> Share link </button> </h4>Server Startup: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json">{ "event_type": "system.startup", "actor": "system", "action": "initialize", "result": "success", "details": { "version": "0.2.18", "config_file": "/etc/geode/config.yaml" } } </code></pre></div>File Rotation: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json">{ "event_type": "system.rotation", "actor": "system", "action": "rotate_audit_log", "result": "success", "details": { "old_file": "/var/log/geode/audit.jsonl", "new_file": "/var/log/geode/audit.jsonl.1", "size_bytes": 104857600 } } </code></pre></div> <h3 id="sensitive-data-redaction" class="position-relative d-flex align-items-center group"> Sensitive Data Redaction <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="sensitive-data-redaction" aria-haspopup="dialog" aria-label="Share link: Sensitive Data Redaction"> Share link </button> </h3> <h4 id="multi-layer-protection" class="position-relative d-flex align-items-center group"> Multi-Layer Protection <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="multi-layer-protection" aria-haspopup="dialog" aria-label="Share link: Multi-Layer Protection"> Share link </button> </h4>Geode employs five layers of protection against sensitive data leakage: <ol> <li> Key Pattern Detection <ul> <li>Automatic detection of sensitive key names</li> <li>Patterns: <code>password</code>, <code>secret</code>, <code>token</code>, <code>key</code>, <code>credential</code>, <code>ssn</code>, <code>card</code></li> </ul> </li> <li> Value Analysis <ul> <li>Credit card number detection (Luhn algorithm)</li> <li>Social Security Number patterns</li> <li>Email address masking</li> <li>IP address anonymization</li> </ul> </li> <li> Default-Deny Filtering <ul> <li>Only <code>allow_fields</code> are logged</li> <li>Unknown fields automatically dropped</li> <li>Explicit opt-in required for new fields</li> </ul> </li> <li> Fail-Closed Behavior <ul> <li>If redaction cannot guarantee safety, drop entire event</li> <li>Log warning: <code>AUDIT_REDACTION_FAILED</code></li> <li>Never log potentially sensitive data</li> </ul> </li> <li> Database Adapter Restriction <ul> <li>SQL text and parameters never accepted</li> <li>Only metadata logged: operation type, row count, duration</li> <li>Prevents accidental query parameter exposure</li> </ul> </li> </ol> <h4 id="redaction-examples" class="position-relative d-flex align-items-center group"> Redaction Examples <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="redaction-examples" aria-haspopup="dialog" aria-label="Share link: Redaction Examples"> Share link </button> </h4>Original Event: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json">{ "user": "[email protected]", "password": "SecurePassword123!", "credit_card": "4111-1111-1111-1111", "ssn": "123-45-6789" } </code></pre></div>Redacted Event: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json">{ "user": "[email protected]", "password": "***REDACTED***", "credit_card": "***REDACTED***", "ssn": "***REDACTED***" } </code></pre></div>PII Mode: Mask: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json">{ "email": "a***@e*****.com", "ip_address": "192.168.xxx.xxx" } </code></pre></div>PII Mode: Redact: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json">{ "email": "***REDACTED***", "ip_address": "***REDACTED***" } </code></pre></div> <h3 id="file-management" class="position-relative d-flex align-items-center group"> File Management <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="file-management" aria-haspopup="dialog" aria-label="Share link: File Management"> Share link </button> </h3> <h4 id="rotation-strategy" class="position-relative d-flex align-items-center group"> Rotation Strategy <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="rotation-strategy" aria-haspopup="dialog" aria-label="Share link: Rotation Strategy"> Share link </button> </h4>Size-Based Rotation: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-plaintext" data-lang="plaintext">/var/log/geode/audit.jsonl (current, <100 MB) /var/log/geode/audit.jsonl.1 (100 MB, yesterday) /var/log/geode/audit.jsonl.2 (100 MB, 2 days ago) ... /var/log/geode/audit.jsonl.10 (100 MB, 10 days ago) </code></pre></div>Rotation Process: <ol> <li>Current file reaches <code>max_bytes</code> threshold</li> <li>Close current file</li> <li>Rename: <code>audit.jsonl</code> → <code>audit.jsonl.1</code></li> <li>Rotate existing: <code>.1</code> → <code>.2</code>, <code>.2</code> → <code>.3</code>, etc.</li> <li>Delete oldest: <code>audit.jsonl.{backup_count}</code> removed</li> <li>Create new: <code>audit.jsonl</code> with 0600 permissions</li> <li>Continue <code>seq_no</code> and <code>prev_hash</code> chain from previous file</li> <li>Emit <code>system.rotation</code> event</li> </ol> Chain Continuity: <ul> <li>First record in new file uses <code>prev_hash</code> from tail of previous file</li> <li>Maintains tamper-evident chain across file boundaries</li> <li>Verification tool must process files in chronological order</li> </ul> <h4 id="permissions--security" class="position-relative d-flex align-items-center group"> Permissions &amp; Security <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="permissions--security" aria-haspopup="dialog" aria-label="Share link: Permissions &amp; Security"> Share link </button> </h4>File Permissions: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Audit log files -rw------- 1 geode geode 104857600 Jan 24 10:30 audit.jsonl # Directory permissions drwx------ 2 geode geode 4096 Jan 24 10:30 /var/log/geode/ </code></pre></div>SELinux Context (if enabled): <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash">chcon -t geode_log_t /var/log/geode/audit.jsonl </code></pre></div>AppArmor Profile: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-plaintext" data-lang="plaintext">/var/log/geode/audit.jsonl rw, /var/log/geode/audit.jsonl.* r, </code></pre></div> <h3 id="verification" class="position-relative d-flex align-items-center group"> Verification <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="verification" aria-haspopup="dialog" aria-label="Share link: Verification"> Share link </button> </h3> <h4 id="audit-log-verification" class="position-relative d-flex align-items-center group"> Audit Log Verification <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="audit-log-verification" aria-haspopup="dialog" aria-label="Share link: Audit Log Verification"> Share link </button> </h4>Verify tamper-evident chain and signatures: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Verify single file geode audit verify \ --file /var/log/geode/audit.jsonl \ --algo sha256 \ --pubkey $GEODE_AUDIT_PUB # Verify rotated files (chronological order) for file in $(ls -tr /var/log/geode/audit.jsonl*); do geode audit verify \ --file $file \ --algo sha256 \ --pubkey $GEODE_AUDIT_PUB done </code></pre></div>Verification Outputs: ✅ Valid Chain: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback">OK chain records=1000 digests=10 algo=sha256 </code></pre></div>❌ Tampered Chain: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback">TAMPER chain at_seq=523 reason=PREV_HASH_MISMATCH expected=a3c7f1d2e5b4a8c9f0d1e2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3 got=b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5 </code></pre></div>❌ Invalid Signature: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback">TAMPER digest at_seq=600 reason=DIGEST_MISMATCH expected=d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9 got=e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0 </code></pre></div>⚠️ Schema Error: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback">SCHEMA_ERROR at_seq=789 field=timestamp detail="missing required field" WARN ignored trailing partial record </code></pre></div> <h4 id="forensic-analysis" class="position-relative d-flex align-items-center group"> Forensic Analysis <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="forensic-analysis" aria-haspopup="dialog" aria-label="Share link: Forensic Analysis"> Share link </button> </h4>Extract events by actor: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash">jq 'select(.actor == "[email protected]")' /var/log/geode/audit.jsonl </code></pre></div>Count events by type: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash">jq -r '.event_type' /var/log/geode/audit.jsonl | sort | uniq -c | sort -rn </code></pre></div>Find failed authentications: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash">jq 'select(.event_type == "auth.login" and .result == "failure")' \ /var/log/geode/audit.jsonl </code></pre></div>Verify chain segment: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Extract seq 100-200 and verify hash chain jq 'select(.seq_no >= 100 and .seq_no <= 200)' audit.jsonl > segment.jsonl geode audit verify --file segment.jsonl --algo sha256 </code></pre></div> <h3 id="integration" class="position-relative d-flex align-items-center group"> Integration <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="integration" aria-haspopup="dialog" aria-label="Share link: Integration"> Share link </button> </h3> <h4 id="syslog-integration-rfc-5424" class="position-relative d-flex align-items-center group"> Syslog Integration (RFC 5424) <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="syslog-integration-rfc-5424" aria-haspopup="dialog" aria-label="Share link: Syslog Integration (RFC 5424)"> Share link </button> </h4>CEF Format (Common Event Format): <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><134>1 2026-01-24T10:30:15.123Z prod-db-01 geode 1234 auth.login - CEF:0|DEVNW|GEODE|0.2.18|auth.login|User Login|5| act=authenticate [email protected] outcome=success rt=Jan 24 2026 10:30:15 src=192.168.1.100 </code></pre></div>Field Mapping: <ul> <li><code><134></code>: Priority (local4.info)</li> <li><code>1</code>: RFC 5424 version</li> <li><code>prod-db-01</code>: Hostname</li> <li><code>geode</code>: Application name</li> <li><code>1234</code>: Process ID</li> <li><code>auth.login</code>: Message ID</li> <li>CEF fields: actor, action, outcome, timestamp, source IP</li> </ul> Testing Syslog: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Test UDP syslog nc -u -l 514 # In another terminal echo "RETURN 1" | geode query --user alice --password test - # Check nc output for CEF messages </code></pre></div> <h4 id="siem-integration" class="position-relative d-flex align-items-center group"> SIEM Integration <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="siem-integration" aria-haspopup="dialog" aria-label="Share link: SIEM Integration"> Share link </button> </h4>Splunk: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback">sourcetype = geode:audit | stats count by event_type, result | where result="failure" </code></pre></div>Elasticsearch: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json">GET /geode-audit-*/_search { "query": { "bool": { "must": [ {"term": {"event_type": "auth.login"}}, {"term": {"result": "failure"}} ] } } } </code></pre></div>Grafana Loki: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback">{job="geode-audit"} |= "auth.login" |= "failure" | json </code></pre></div> <h3 id="compliance" class="position-relative d-flex align-items-center group"> Compliance <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="compliance" aria-haspopup="dialog" aria-label="Share link: Compliance"> Share link </button> </h3> <h4 id="sox-sarbanes-oxley" class="position-relative d-flex align-items-center group"> SOX (Sarbanes-Oxley) <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="sox-sarbanes-oxley" aria-haspopup="dialog" aria-label="Share link: SOX (Sarbanes-Oxley)"> Share link </button> </h4>Requirements: <ul> <li>✅ Tamper-evident audit trail (hash chain + signatures)</li> <li>✅ Immutable log storage (append-only, 0600 permissions)</li> <li>✅ Access tracking (all database operations logged)</li> <li>✅ Retention policy (configurable backup_count)</li> <li>✅ Periodic review (verification tools provided)</li> </ul> Configuration: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json">{ "sinks": { "file": { "backup_count": 90, "max_bytes": 104857600 } } } </code></pre></div> <h4 id="pci-dss-payment-card-industry" class="position-relative d-flex align-items-center group"> PCI-DSS (Payment Card Industry) <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="pci-dss-payment-card-industry" aria-haspopup="dialog" aria-label="Share link: PCI-DSS (Payment Card Industry)"> Share link </button> </h4>Requirements: <ul> <li>✅ Log all access to cardholder data (db.query events)</li> <li>✅ Secure log storage (encryption at rest with TDE)</li> <li>✅ Daily log review (automated verification)</li> <li>✅ Retain logs for 1 year (90+ rotated files)</li> <li>✅ Credit card redaction (Luhn algorithm detection)</li> </ul> Configuration: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json">{ "filters": { "pci_mode": true, "deny_key_patterns": ["card", "cvv", "pan"] } } </code></pre></div> <h4 id="hipaa-health-insurance-portability" class="position-relative d-flex align-items-center group"> HIPAA (Health Insurance Portability) <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="hipaa-health-insurance-portability" aria-haspopup="dialog" aria-label="Share link: HIPAA (Health Insurance Portability)"> Share link </button> </h4>Requirements: <ul> <li>✅ Audit controls (comprehensive event logging)</li> <li>✅ Access tracking (actor, resource, action)</li> <li>✅ Integrity controls (hash chain, signatures)</li> <li>✅ PHI redaction (PII mode enabled)</li> <li>✅ 6-year retention (adjust backup_count accordingly)</li> </ul> Configuration: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json">{ "filters": { "pii_mode": "redact", "deny_key_patterns": ["ssn", "dob", "mrn", "diagnosis"] }, "sinks": { "file": { "backup_count": 2190 } } } </code></pre></div> <h4 id="gdpr-general-data-protection-regulation" class="position-relative d-flex align-items-center group"> GDPR (General Data Protection Regulation) <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="gdpr-general-data-protection-regulation" aria-haspopup="dialog" aria-label="Share link: GDPR (General Data Protection Regulation)"> Share link </button> </h4>Requirements: <ul> <li>✅ Data minimization (default-deny filtering)</li> <li>✅ Right to erasure (redaction tools)</li> <li>✅ Breach notification (alerting on access_denied)</li> <li>✅ Pseudonymization (PII masking)</li> <li>✅ Audit trail (all processing logged)</li> </ul> Configuration: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json">{ "filters": { "default_deny": true, "pii_mode": "mask", "allow_fields": ["trace_id", "action", "outcome"] } } </code></pre></div> <h3 id="performance" class="position-relative d-flex align-items-center group"> Performance <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="performance" aria-haspopup="dialog" aria-label="Share link: Performance"> Share link </button> </h3> <h4 id="benchmarks" class="position-relative d-flex align-items-center group"> Benchmarks <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="benchmarks" aria-haspopup="dialog" aria-label="Share link: Benchmarks"> Share link </button> </h4>Append Latency: <ul> <li>Non-blocking: <500μs (queue insertion)</li> <li>With fsync: <5ms (durable write)</li> <li>Hash computation: <100μs (SHA-256)</li> <li>Signature generation: <1ms (Ed25519, every 100 events)</li> </ul> Throughput: <ul> <li>Single-threaded: 10,000 events/sec</li> <li>Multi-threaded: 50,000 events/sec</li> <li>With syslog: 8,000 events/sec (network overhead)</li> </ul> Memory Usage: <ul> <li>Base: 10 MB (buffer queues)</li> <li>Per event: 1 KB (average)</li> <li>Max RSS: 512 MB (limits enforced)</li> </ul> <h4 id="optimization" class="position-relative d-flex align-items-center group"> Optimization <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="optimization" aria-haspopup="dialog" aria-label="Share link: Optimization"> Share link </button> </h4>Tuning for High Volumes: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json">{ "buffer_size": 10000, "batch_flush_interval_ms": 100, "sinks": { "file": { "buffer_size_bytes": 1048576 } } } </code></pre></div>Async Syslog (non-blocking network I/O): <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json">{ "sinks": { "syslog": { "async": true, "queue_size": 10000, "timeout_ms": 5000 } } } </code></pre></div> <h3 id="troubleshooting" class="position-relative d-flex align-items-center group"> Troubleshooting <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="troubleshooting" aria-haspopup="dialog" aria-label="Share link: Troubleshooting"> Share link </button> </h3> <h4 id="common-issues" class="position-relative d-flex align-items-center group"> Common Issues <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="common-issues" aria-haspopup="dialog" aria-label="Share link: Common Issues"> Share link </button> </h4>Issue: Audit log not created Solution: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Check directory permissions ls -ld /var/log/geode/ # Should be drwx------ geode geode # Create directory if missing sudo mkdir -p /var/log/geode sudo chown geode:geode /var/log/geode sudo chmod 700 /var/log/geode # Verify configuration cat config/logging.json | jq '.sinks.file' </code></pre></div><hr> Issue: Verification fails with SCHEMA_ERROR Solution: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Check for truncated JSON lines tail -n 1 audit.jsonl # Remove partial line if present head -n -1 audit.jsonl > audit_fixed.jsonl mv audit_fixed.jsonl audit.jsonl # Re-run verification geode audit verify --file audit.jsonl </code></pre></div><hr> Issue: Syslog messages not reaching server Solution: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Test network connectivity nc -zv syslog.example.com 514 # Check firewall rules sudo iptables -L | grep 514 # Enable debug logging GEODE_LOG_LEVEL=debug geode serve # Verify CEF format tcpdump -i any port 514 -A </code></pre></div><hr> Issue: High memory usage Solution: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Monitor memory top -p $(pgrep geode) # Reduce buffer size jq '.buffer_size = 1000' config/logging.json > config/logging_new.json # Enable aggressive rotation jq '.sinks.file.max_bytes = 10485760' config/logging.json > config/logging_new.json # Restart with new config sudo systemctl restart geode </code></pre></div> <h3 id="best-practices" class="position-relative d-flex align-items-center group"> Best Practices <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="best-practices" aria-haspopup="dialog" aria-label="Share link: Best Practices"> Share link </button> </h3> <h4 id="deployment-checklist" class="position-relative d-flex align-items-center group"> Deployment Checklist <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="deployment-checklist" aria-haspopup="dialog" aria-label="Share link: Deployment Checklist"> Share link </button> </h4>Production deployment recommendations: <ul> <li><input disabled="" type="checkbox"> Generate unique Ed25519 key pair (not test keys!)</li> <li><input disabled="" type="checkbox"> Store private key in secure vault (HashiCorp Vault, AWS Secrets Manager)</li> <li><input disabled="" type="checkbox"> Set <code>GEODE_AUDIT_PUB</code> and <code>GEODE_AUDIT_SEC</code> environment variables</li> <li><input disabled="" type="checkbox"> Configure log rotation (90-2190 files for compliance)</li> <li><input disabled="" type="checkbox"> Set up remote syslog server (redundant, geographically distributed)</li> <li><input disabled="" type="checkbox"> Enable TDE for audit log encryption at rest</li> <li><input disabled="" type="checkbox"> Configure automated verification (daily cron job)</li> <li><input disabled="" type="checkbox"> Set up alerting for verification failures</li> <li><input disabled="" type="checkbox"> Document key rotation procedures</li> <li><input disabled="" type="checkbox"> Test disaster recovery (restore from backups)</li> </ul> <h4 id="security-hardening" class="position-relative d-flex align-items-center group"> Security Hardening <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="security-hardening" aria-haspopup="dialog" aria-label="Share link: Security Hardening"> Share link </button> </h4>Restrict Access: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Only geode user can read audit logs chmod 600 /var/log/geode/audit.jsonl* # Only root can rotate chmod 700 /usr/local/bin/rotate_audit_logs.sh # SELinux mandatory access control semanage fcontext -a -t geode_log_t '/var/log/geode(/.*)?' restorecon -Rv /var/log/geode </code></pre></div>Network Security: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Use TLS for syslog (port 6514) { "sinks": { "syslog": { "protocol": "tls", "port": 6514, "tls": { "ca_cert": "/etc/geode/syslog-ca.pem", "verify": true } } } } </code></pre></div>Monitoring: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Alert on verification failures 0 2 * * * /usr/local/bin/verify_audit_logs.sh || mail -s "Audit verification failed" [email protected] # Monitor for tampering attempts journalctl -u geode -f | grep TAMPER | mail -s "ALERT: Audit tampering detected" [email protected] </code></pre></div> <h3 id="code-examples" class="position-relative d-flex align-items-center group"> Code Examples <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="code-examples" aria-haspopup="dialog" aria-label="Share link: Code Examples"> Share link </button> </h3> <h4 id="basic-usage" class="position-relative d-flex align-items-center group"> Basic Usage <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="basic-usage" aria-haspopup="dialog" aria-label="Share link: Basic Usage"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-zig" data-lang="zig">const std = @import("std"); const audit = @import("audit/logger.zig"); const config = @import("audit/config.zig"); const events = @import("audit/events.zig"); const time = @import("audit/time.zig"); pub fn main() !void { var gpa = std.heap.GeneralPurposeAllocator(.{}){}; defer _ = gpa.deinit(); const allocator = gpa.allocator(); // Load configuration const audit_config = try config.loadConfig(allocator, "config/logging.json"); defer audit_config.deinit(); // Initialize logger var sys_clock = time.SystemClock{}; var sys_id_gen = time.SystemIdGen.init(); const logger = try audit.AuditLogger.init( allocator, audit_config, sys_clock.clock(), sys_id_gen.idGen(), ); defer logger.deinit(); // Emit authentication event const auth_event = events.AuditEvent{ .category = "auth", .action = "login", .outcome = .success, .ts_unix_ms = 0, // Auto-filled .severity = .INFO, .actor_id = "[email protected]", .subject_id = null, .request_id = "req-12345", .session_id = "ses-abcdef", .source_ip = "192.168.1.100", .trace_id = null, // Auto-generated .span_id = null, // Auto-generated .metadata = null, }; try logger.audit(&auth_event); } </code></pre></div> <h4 id="custom-event-types" class="position-relative d-flex align-items-center group"> Custom Event Types <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="custom-event-types" aria-haspopup="dialog" aria-label="Share link: Custom Event Types"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-zig" data-lang="zig">// Create custom database event const db_event = events.AuditEvent{ .category = "db", .action = "execute", .outcome = .success, .severity = .INFO, .actor_id = "[email protected]", .resource = "graph:main", .metadata = .{ .db_operation = "MATCH", .db_rowCount = 42, .duration_ms = 15, }, }; try logger.audit(&db_event); </code></pre></div> <h3 id="references" class="position-relative d-flex align-items-center group"> References <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="references" aria-haspopup="dialog" aria-label="Share link: References"> Share link </button> </h3> <h4 id="standards" class="position-relative d-flex align-items-center group"> Standards <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="standards" aria-haspopup="dialog" aria-label="Share link: Standards"> Share link </button> </h4><ul> <li> RFC 5424: The Syslog Protocol <ul> <li><a href="https://datatracker.ietf.org/doc/html/rfc5424" aria-label="https://datatracker.ietf.org/doc/html/rfc5424 – opens in new window" target="_blank" rel="noopener noreferrer" >https://datatracker.ietf.org/doc/html/rfc5424 ↗ </a> </li> </ul> </li> <li> Common Event Format (CEF) <ul> <li>ArcSight CEF specification for SIEM integration</li> </ul> </li> <li> W3C Trace Context <ul> <li><a href="https://www.w3.org/TR/trace-context/" aria-label="https://www.w3.org/TR/trace-context/ – opens in new window" target="_blank" rel="noopener noreferrer" >https://www.w3.org/TR/trace-context/ ↗ </a> </li> </ul> </li> <li> Ed25519 Digital Signatures <ul> <li><a href="https://ed25519.cr.yp.to/" aria-label="https://ed25519.cr.yp.to/ – opens in new window" target="_blank" rel="noopener noreferrer" >https://ed25519.cr.yp.to/ ↗ </a> </li> </ul> </li> </ul> <h4 id="compliance-resources" class="position-relative d-flex align-items-center group"> Compliance Resources <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="compliance-resources" aria-haspopup="dialog" aria-label="Share link: Compliance Resources"> Share link </button> </h4><ul> <li>SOX Compliance: IT audit controls</li> <li>PCI-DSS: Requirement 10 (logging and monitoring)</li> <li>HIPAA: 164.312(b) audit controls</li> <li>GDPR: Article 30 (records of processing)</li> </ul> <h4 id="code-location" class="position-relative d-flex align-items-center group"> Code Location <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="code-location" aria-haspopup="dialog" aria-label="Share link: Code Location"> Share link </button> </h4><ul> <li>Implementation: <code>src/audit/logger.zig</code></li> <li>Configuration: <code>src/audit/config.zig</code></li> <li>Tests: <code>tests/test_audit_logging.zig</code></li> <li>Documentation: <code>docs/AUDIT_LOGGING.md</code></li> </ul> <h3 id="next-steps" class="position-relative d-flex align-items-center group"> Next Steps <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="next-steps" aria-haspopup="dialog" aria-label="Share link: Next Steps"> Share link </button> </h3>For Operators: <ul> <li><a href="/docs/ops/observability/" >Monitoring & Observability</a> - Complete monitoring setup</li> <li><a href="/docs/ops/telemetry-advanced/" >Telemetry Advanced</a> - Custom metrics and dashboards</li> <li><a href="/docs/ops/docker-deployment/" >Docker Deployment</a> - Container audit log integration</li> </ul> For Security Teams: <ul> <li><a href="/docs/security/overview/" >Security Overview</a> - Complete security architecture</li> <li><a href="/docs/security/field-level-encryption/" >Field-Level Encryption</a> - Additional data protection</li> <li><a href="/docs/security/session-management/" >Session Management</a> - Session audit integration</li> </ul> For Developers: <ul> <li><a href="/docs/client-libraries/go-client/" >Client Libraries</a> - Client-side audit event generation</li> <li><a href="/docs/guides/testing-strategies/" >Testing Strategies</a> - Audit log testing approaches</li> </ul> <hr> Document Version: 1.0 Last Updated: January 24, 2026 Status: Production Ready Compliance: SOX, PCI-DSS, HIPAA, GDPR ready