Audit Logging and Security Monitoring

Audit logging in Geode provides comprehensive tracking of all database operations, creating an immutable record of who accessed what data, when they accessed it, and what changes were made. This capability is essential for security monitoring, regulatory compliance, forensic analysis, incident response, and operational troubleshooting. <h3 id="audit-logging-overview" class="position-relative d-flex align-items-center group"> Audit Logging Overview <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="audit-logging-overview" aria-haspopup="dialog" aria-label="Share link: Audit Logging Overview"> Share link </button> </h3><div id="headingShareModal" class="heading-share-modal" role="dialog" aria-modal="true" aria-labelledby="headingShareTitle" hidden> <div class="hsm-dialog" role="document"> <div class="hsm-header"> <h2 id="headingShareTitle" class="h6 mb-0 fw-bold">Share this section</h2> <button type="button" class="hsm-close" aria-label="Close"> </button> </div> <div class="hsm-body"> <label for="headingShareInput" class="form-label small text-muted mb-1 text-uppercase fw-bold" style="font-size: 0.7rem; letter-spacing: 0.5px;">Permalink</label> <div class="input-group mb-4 hsm-url-group"> <input id="headingShareInput" type="text" class="form-control font-monospace" readonly aria-readonly="true" style="font-size: 0.85rem;" /> <button class="btn btn-primary hsm-copy" type="button" aria-label="Copy" title="Copy"> </button> </div> <div class="small fw-bold mb-2 text-muted text-uppercase" style="font-size: 0.7rem; letter-spacing: 0.5px;">Share via</div> <div class="hsm-share-grid"> <a id="share-twitter" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer"> Twitter </a> <a id="share-linkedin" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer"> LinkedIn </a> <a id="share-facebook" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer"> Facebook </a> </div> </div> </div> </div> <style> .heading-share-modal { position: fixed; inset: 0; display: flex; justify-content: center; align-items: center; background: rgba(0, 0, 0, 0.6); z-index: 1050; padding: 1rem; backdrop-filter: blur(4px); -webkit-backdrop-filter: blur(4px); } .heading-share-modal[hidden] { display: none !important; } .hsm-dialog { max-width: 420px; width: 100%; background: var(--bs-body-bg, #fff); color: var(--bs-body-color, #212529); border: 1px solid var(--bs-border-color, rgba(0,0,0,0.1)); border-radius: 1rem; box-shadow: 0 25px 50px -12px rgba(0, 0, 0, 0.25); overflow: hidden; animation: hsm-fade-in 0.2s ease-out; } @keyframes hsm-fade-in { from { opacity: 0; transform: scale(0.95); } to { opacity: 1; transform: scale(1); } } [data-bs-theme="dark"] .hsm-dialog { background: #1e293b; border-color: rgba(255,255,255,0.1); color: #f8f9fa; } .hsm-header { display: flex; justify-content: space-between; align-items: center; padding: 1rem 1.5rem; border-bottom: 1px solid var(--bs-border-color, rgba(0,0,0,0.1)); background: rgba(0,0,0,0.02); } [data-bs-theme="dark"] .hsm-header { background: rgba(255,255,255,0.02); border-color: rgba(255,255,255,0.1); } .hsm-close { background: transparent; border: none; color: inherit; opacity: 0.5; padding: 0.25rem 0.5rem; border-radius: 0.25rem; font-size: 1.2rem; line-height: 1; transition: opacity 0.2s; } .hsm-close:hover { opacity: 1; } .hsm-body { padding: 1.5rem; } .hsm-url-group { display: flex !important; align-items: stretch; } .hsm-url-group .form-control { flex: 1; min-width: 0; margin: 0; background: var(--bs-secondary-bg, #f8f9fa); border-color: var(--bs-border-color, #dee2e6); border-top-right-radius: 0; border-bottom-right-radius: 0; height: 42px; } .hsm-url-group .btn { flex: 0 0 auto; margin: 0; margin-left: -1px; border-top-left-radius: 0; border-bottom-left-radius: 0; height: 42px; display: flex; align-items: center; justify-content: center; padding: 0 1.25rem; z-index: 2; } [data-bs-theme="dark"] .hsm-url-group .form-control { background: #0f172a; border-color: #334155; color: #e2e8f0; } .hsm-share-grid { display: flex; flex-direction: column; gap: 0.5rem; } .hsm-share-grid .btn { display: flex; align-items: center; justify-content: center; font-size: 0.9rem; padding: 0.6rem; border-color: var(--bs-border-color); width: 100%; } [data-bs-theme="dark"] .hsm-share-grid .btn { color: #e2e8f0; border-color: #475569; } [data-bs-theme="dark"] .hsm-share-grid .btn:hover { background: #334155; border-color: #cbd5e1; } </style> <script> (function(){ const modal = document.getElementById('headingShareModal'); if(!modal) return; const input = modal.querySelector('#headingShareInput'); const copyBtn = modal.querySelector('.hsm-copy'); const twitter = modal.querySelector('#share-twitter'); const linkedin = modal.querySelector('#share-linkedin'); const facebook = modal.querySelector('#share-facebook'); const closeBtn = modal.querySelector('.hsm-close'); let lastFocus=null; let trapBound=false; function buildUrl(id){ return window.location.origin + window.location.pathname + '#' + id; } function isOpen(){ return !modal.hasAttribute('hidden'); } function hydrate(id){ const url=buildUrl(id); input.value=url; const enc=encodeURIComponent(url); const text=encodeURIComponent(document.title); if(twitter) twitter.href=`https://twitter.com/intent/tweet?url=${enc}&text=${text}`; if(linkedin) linkedin.href=`https://www.linkedin.com/sharing/share-offsite/?url=${enc}`; if(facebook) facebook.href=`https://www.facebook.com/sharer/sharer.php?u=${enc}`; } function openModal(id){ lastFocus=document.activeElement; hydrate(id); if(!isOpen()){ modal.removeAttribute('hidden'); } requestAnimationFrame(()=>{ input.focus(); }); trapFocus(); } function closeModal(){ if(!isOpen()) return; modal.setAttribute('hidden',''); if(lastFocus && typeof lastFocus.focus==='function') lastFocus.focus(); } function copyCurrent(){ try{ navigator.clipboard.writeText(input.value).then(()=>feedback(true),()=>fallback()); } catch(e){ fallback(); } } function fallback(){ input.select(); try{ document.execCommand('copy'); feedback(true);}catch(e){ feedback(false);} } function feedback(ok){ if(!copyBtn) return; const icon=copyBtn.querySelector('i'); if(!icon) return; const prev=copyBtn.getAttribute('data-prev')||icon.className; if(!copyBtn.getAttribute('data-prev')) copyBtn.setAttribute('data-prev',prev); icon.className= ok ? 'fa-duotone fa-clipboard-check':'fa-duotone fa-circle-exclamation'; setTimeout(()=>{ icon.className=prev; },1800); } function handleShareClick(e){ e.preventDefault(); const btn=e.currentTarget; const id=btn.getAttribute('data-share-target'); if(id) openModal(id); } function bindShareButtons(){ document.querySelectorAll('.h-share').forEach(btn=>{ if(!btn.dataset.hShareBound){ btn.addEventListener('click', handleShareClick); btn.dataset.hShareBound='1'; } }); } bindShareButtons(); if(document.readyState==='loading'){ document.addEventListener('DOMContentLoaded', bindShareButtons); } else { requestAnimationFrame(bindShareButtons); } document.addEventListener('click', function(e){ const shareBtn=e.target.closest && e.target.closest('.h-share'); if(shareBtn && !shareBtn.dataset.hShareBound){ handleShareClick.call(shareBtn, e); } }, true); document.addEventListener('click', e=>{ if(e.target===modal) closeModal(); if(e.target.closest && e.target.closest('.hsm-close')){ e.preventDefault(); closeModal(); } if(copyBtn && (e.target===copyBtn || (e.target.closest && e.target.closest('.hsm-copy')))) { e.preventDefault(); copyCurrent(); } }); document.addEventListener('keydown', e=>{ if(e.key==='Escape' && isOpen()) closeModal(); }); function trapFocus(){ if(trapBound) return; trapBound=true; modal.addEventListener('keydown', f=>{ if(f.key==='Tab' && isOpen()){ const focusable=[...modal.querySelectorAll('a[href],button,input,textarea,select,[tabindex]:not([tabindex="-1"])')].filter(el=>!el.hasAttribute('disabled')); if(!focusable.length) return; const first=focusable[0]; const last=focusable[focusable.length-1]; if(f.shiftKey && document.activeElement===first){ f.preventDefault(); last.focus(); } else if(!f.shiftKey && document.activeElement===last){ f.preventDefault(); first.focus(); } } }); } if(closeBtn) closeBtn.addEventListener('click', e=>{ e.preventDefault(); closeModal(); }); })(); </script>Geode’s audit system captures detailed information about every database interaction: <ul> <li>Authentication Events: Login attempts, failures, session management</li> <li>Authorization Events: Permission checks, access grants and denials</li> <li>Data Access: All read operations with query details and result metadata</li> <li>Data Modifications: CREATE, UPDATE, DELETE operations with before/after values</li> <li>Schema Changes: Graph definitions, constraints, indexes, policies</li> <li>Administrative Actions: User management, configuration changes, maintenance</li> <li>System Events: Startup, shutdown, errors, resource exhaustion</li> </ul> <h4 id="audit-event-structure" class="position-relative d-flex align-items-center group"> Audit Event Structure <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="audit-event-structure" aria-haspopup="dialog" aria-label="Share link: Audit Event Structure"> Share link </button> </h4>Every audit event contains: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json">{ "event_id": "evt_2026012810152345678", "timestamp": "2026-01-28T10:15:23.456789Z", "event_type": "data_access", "severity": "info", "actor": { "user_id": "[email protected]", "session_id": "sess_abc123def456", "roles": ["analyst", "viewer"], "ip_address": "192.168.1.100", "user_agent": "geode-client-python/0.3.19" }, "operation": { "type": "SELECT", "query": "MATCH (c:Customer) WHERE c.region = $region RETURN c.name, c.email", "parameters": {"region": "EMEA"}, "graph": "production", "duration_ms": 45, "rows_returned": 127, "bytes_transferred": 8192 }, "result": { "status": "success", "error_code": null, "error_message": null }, "context": { "transaction_id": "txn_xyz789", "request_id": "req_abc123", "correlation_id": "corr_456def" } } </code></pre></div> <h3 id="enabling-audit-logging" class="position-relative d-flex align-items-center group"> Enabling Audit Logging <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="enabling-audit-logging" aria-haspopup="dialog" aria-label="Share link: Enabling Audit Logging"> Share link </button> </h3> <h4 id="command-line-configuration" class="position-relative d-flex align-items-center group"> Command Line Configuration <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="command-line-configuration" aria-haspopup="dialog" aria-label="Share link: Command Line Configuration"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Enable comprehensive audit logging geode serve --audit-enabled=true \ --audit-log-level=comprehensive \ --audit-log-file=/var/log/geode/audit.log \ --audit-log-format=json # Enable specific event types only geode serve --audit-enabled=true \ --audit-events=authentication,authorization,data_modification,admin # Configure log rotation geode serve --audit-log-max-size=100MB \ --audit-log-max-files=30 \ --audit-log-compress=true </code></pre></div> <h4 id="configuration-file" class="position-relative d-flex align-items-center group"> Configuration File <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="configuration-file" aria-haspopup="dialog" aria-label="Share link: Configuration File"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"># geode.yaml audit: enabled: true level: comprehensive # minimal, security, compliance, comprehensive # Event types to log events: authentication: true authorization: true data_access: true data_modification: true schema_changes: true admin_actions: true system_events: true # Output configuration output: file: path: /var/log/geode/audit.log format: json # json, syslog, cef rotation: max_size: 100MB max_files: 30 compress: true # Optional: Stream to external system stream: enabled: true endpoint: "https://siem.example.com/collect" batch_size: 100 flush_interval: 5s # Data handling include_query_parameters: true include_result_data: false # Avoid logging sensitive data include_before_after: true # For modifications mask_sensitive_fields: - password - ssn - credit_card # Retention retention_days: 2555 # 7 years for compliance </code></pre></div> <h3 id="audit-log-levels" class="position-relative d-flex align-items-center group"> Audit Log Levels <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="audit-log-levels" aria-haspopup="dialog" aria-label="Share link: Audit Log Levels"> Share link </button> </h3> <h4 id="minimal-level" class="position-relative d-flex align-items-center group"> Minimal Level <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="minimal-level" aria-haspopup="dialog" aria-label="Share link: Minimal Level"> Share link </button> </h4>Logs only critical security events: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">audit: level: minimal # Logs: # - Authentication failures # - Authorization denials # - Administrative actions # - System errors </code></pre></div> <h4 id="security-level" class="position-relative d-flex align-items-center group"> Security Level <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="security-level" aria-haspopup="dialog" aria-label="Share link: Security Level"> Share link </button> </h4>Logs all security-relevant events: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">audit: level: security # Logs: # - All authentication events # - All authorization events # - Permission changes # - User management # - Configuration changes </code></pre></div> <h4 id="compliance-level" class="position-relative d-flex align-items-center group"> Compliance Level <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="compliance-level" aria-haspopup="dialog" aria-label="Share link: Compliance Level"> Share link </button> </h4>Logs events required for regulatory compliance: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">audit: level: compliance # Logs: # - All data access (who accessed what) # - All data modifications (what changed) # - Exports and data transfers # - Schema changes # - Plus all security events </code></pre></div> <h4 id="comprehensive-level" class="position-relative d-flex align-items-center group"> Comprehensive Level <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="comprehensive-level" aria-haspopup="dialog" aria-label="Share link: Comprehensive Level"> Share link </button> </h4>Logs everything: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">audit: level: comprehensive # Logs: # - Every query executed # - Every connection made # - All internal operations # - Performance metrics # - Plus all compliance events </code></pre></div> <h3 id="event-types" class="position-relative d-flex align-items-center group"> Event Types <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="event-types" aria-haspopup="dialog" aria-label="Share link: Event Types"> Share link </button> </h3> <h4 id="authentication-events" class="position-relative d-flex align-items-center group"> Authentication Events <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="authentication-events" aria-haspopup="dialog" aria-label="Share link: Authentication Events"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json">{ "event_type": "authentication", "subtype": "login_success", "actor": { "user_id": "[email protected]", "ip_address": "192.168.1.100", "auth_method": "password" }, "details": { "mfa_used": true, "mfa_method": "totp", "session_duration": 3600 } } </code></pre></div>Authentication subtypes: <ul> <li><code>login_success</code> - Successful login</li> <li><code>login_failure</code> - Failed login attempt</li> <li><code>logout</code> - User logout</li> <li><code>session_expired</code> - Session timeout</li> <li><code>mfa_challenge</code> - MFA initiated</li> <li><code>mfa_success</code> - MFA passed</li> <li><code>mfa_failure</code> - MFA failed</li> <li><code>token_issued</code> - API token created</li> <li><code>token_revoked</code> - API token revoked</li> </ul> <h4 id="authorization-events" class="position-relative d-flex align-items-center group"> Authorization Events <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="authorization-events" aria-haspopup="dialog" aria-label="Share link: Authorization Events"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json">{ "event_type": "authorization", "subtype": "access_denied", "actor": { "user_id": "[email protected]", "roles": ["viewer"] }, "details": { "resource": ":SensitiveData", "operation": "SELECT", "required_permission": "read:sensitive", "actual_permissions": ["read:public"], "policy_applied": "sensitive_data_policy" } } </code></pre></div>Authorization subtypes: <ul> <li><code>access_granted</code> - Permission check passed</li> <li><code>access_denied</code> - Permission check failed</li> <li><code>permission_granted</code> - New permission added</li> <li><code>permission_revoked</code> - Permission removed</li> <li><code>role_assigned</code> - Role given to user</li> <li><code>role_removed</code> - Role taken from user</li> <li><code>rls_applied</code> - Row-level security filtered results</li> </ul> <h4 id="data-access-events" class="position-relative d-flex align-items-center group"> Data Access Events <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="data-access-events" aria-haspopup="dialog" aria-label="Share link: Data Access Events"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json">{ "event_type": "data_access", "subtype": "query_executed", "actor": { "user_id": "[email protected]" }, "operation": { "type": "SELECT", "query": "MATCH (c:Customer) WHERE c.vip = true RETURN c", "graph": "production", "labels_accessed": ["Customer"], "properties_accessed": ["name", "email", "vip"], "rows_returned": 45, "duration_ms": 23 } } </code></pre></div>Data access subtypes: <ul> <li><code>query_executed</code> - Read query completed</li> <li><code>data_exported</code> - Bulk data export</li> <li><code>report_generated</code> - Report creation</li> <li><code>aggregation_computed</code> - Aggregate query</li> </ul> <h4 id="data-modification-events" class="position-relative d-flex align-items-center group"> Data Modification Events <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="data-modification-events" aria-haspopup="dialog" aria-label="Share link: Data Modification Events"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json">{ "event_type": "data_modification", "subtype": "node_updated", "actor": { "user_id": "[email protected]" }, "operation": { "type": "UPDATE", "graph": "production", "target": { "label": "Customer", "id": "cust_12345" }, "changes": { "before": {"status": "active", "tier": "gold"}, "after": {"status": "active", "tier": "platinum"} } } } </code></pre></div>Modification subtypes: <ul> <li><code>node_created</code> - New node inserted</li> <li><code>node_updated</code> - Node properties changed</li> <li><code>node_deleted</code> - Node removed</li> <li><code>relationship_created</code> - New relationship</li> <li><code>relationship_updated</code> - Relationship changed</li> <li><code>relationship_deleted</code> - Relationship removed</li> <li><code>bulk_insert</code> - Batch data import</li> <li><code>bulk_delete</code> - Batch data removal</li> </ul> <h4 id="schema-change-events" class="position-relative d-flex align-items-center group"> Schema Change Events <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="schema-change-events" aria-haspopup="dialog" aria-label="Share link: Schema Change Events"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json">{ "event_type": "schema_change", "subtype": "constraint_created", "actor": { "user_id": "[email protected]" }, "details": { "object_type": "constraint", "object_name": "unique_customer_email", "definition": "CONSTRAINT unique_customer_email ON :Customer ASSERT email IS UNIQUE" } } </code></pre></div>Schema subtypes: <ul> <li><code>graph_created</code> - New graph</li> <li><code>graph_dropped</code> - Graph deleted</li> <li><code>constraint_created</code> - New constraint</li> <li><code>constraint_dropped</code> - Constraint removed</li> <li><code>index_created</code> - New index</li> <li><code>index_dropped</code> - Index removed</li> <li><code>policy_created</code> - RLS policy added</li> <li><code>policy_modified</code> - RLS policy changed</li> <li><code>policy_dropped</code> - RLS policy removed</li> </ul> <h4 id="administrative-events" class="position-relative d-flex align-items-center group"> Administrative Events <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="administrative-events" aria-haspopup="dialog" aria-label="Share link: Administrative Events"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json">{ "event_type": "admin_action", "subtype": "user_created", "actor": { "user_id": "[email protected]" }, "details": { "target_user": "[email protected]", "roles_assigned": ["analyst"], "password_policy": "standard" } } </code></pre></div>Administrative subtypes: <ul> <li><code>user_created</code> - New user account</li> <li><code>user_modified</code> - User properties changed</li> <li><code>user_deleted</code> - User account removed</li> <li><code>user_disabled</code> - Account disabled</li> <li><code>user_enabled</code> - Account enabled</li> <li><code>password_changed</code> - Password updated</li> <li><code>config_changed</code> - Server configuration modified</li> <li><code>backup_created</code> - Backup initiated</li> <li><code>backup_restored</code> - Restore completed</li> <li><code>maintenance_started</code> - Maintenance window began</li> </ul> <h3 id="querying-audit-logs" class="position-relative d-flex align-items-center group"> Querying Audit Logs <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="querying-audit-logs" aria-haspopup="dialog" aria-label="Share link: Querying Audit Logs"> Share link </button> </h3> <h4 id="built-in-audit-queries" class="position-relative d-flex align-items-center group"> Built-in Audit Queries <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="built-in-audit-queries" aria-haspopup="dialog" aria-label="Share link: Built-in Audit Queries"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql">-- Recent authentication failures SELECT * FROM system.audit_log WHERE event_type = 'authentication' AND subtype = 'login_failure' AND timestamp > current_timestamp() - INTERVAL '24 hours' ORDER BY timestamp DESC; -- Data access by specific user SELECT timestamp, operation.query, operation.rows_returned FROM system.audit_log WHERE actor.user_id = 'analyst@example.com' AND event_type = 'data_access' AND timestamp BETWEEN $start_date AND $end_date; -- Modifications to sensitive labels SELECT * FROM system.audit_log WHERE event_type = 'data_modification' AND operation.target.label IN ('Customer', 'Payment', 'Account') ORDER BY timestamp DESC LIMIT 100; -- Permission escalation attempts SELECT * FROM system.audit_log WHERE event_type = 'authorization' AND subtype = 'access_denied' AND details.required_permission LIKE '%admin%' ORDER BY timestamp DESC; </code></pre></div> <h4 id="command-line-queries" class="position-relative d-flex align-items-center group"> Command Line Queries <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="command-line-queries" aria-haspopup="dialog" aria-label="Share link: Command Line Queries"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Search recent audit logs geode audit search --since=1h --event-type=authentication # Export audit data geode audit export --start=2026-01-01 --end=2026-01-31 \ --format=csv --output=january-audit.csv # Summary statistics geode audit summary --period=24h # Output: # Authentication Events: 1,234 # - Successful logins: 1,180 # - Failed logins: 54 # Data Access Events: 45,678 # - Queries executed: 45,678 # - Rows returned: 2,345,678 # Modification Events: 1,234 # - Nodes created: 456 # - Nodes updated: 678 # - Nodes deleted: 100 </code></pre></div> <h3 id="security-monitoring" class="position-relative d-flex align-items-center group"> Security Monitoring <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="security-monitoring" aria-haspopup="dialog" aria-label="Share link: Security Monitoring"> Share link </button> </h3> <h4 id="real-time-alerting" class="position-relative d-flex align-items-center group"> Real-Time Alerting <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="real-time-alerting" aria-haspopup="dialog" aria-label="Share link: Real-Time Alerting"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"># geode.yaml audit: alerts: # Multiple failed logins - name: brute_force_detection condition: | count(event_type = 'authentication' AND subtype = 'login_failure') WHERE actor.ip_address = $ip AND timestamp > now() - interval '5 minutes' > 5 action: notify: - channel: slack webhook: ${SLACK_SECURITY_WEBHOOK} - channel: pagerduty service_key: ${PAGERDUTY_KEY} # Unusual data access - name: large_data_export condition: | event_type = 'data_access' AND operation.rows_returned > 10000 action: notify: - channel: email recipients: [email protected] # Admin action after hours - name: after_hours_admin condition: | event_type = 'admin_action' AND extract(hour from timestamp) NOT BETWEEN 9 AND 17 action: notify: - channel: slack webhook: ${SLACK_OPS_WEBHOOK} # Privilege escalation - name: privilege_escalation condition: | event_type = 'admin_action' AND subtype IN ('role_assigned', 'permission_granted') AND details.target_role IN ('admin', 'dba', 'security_admin') action: notify: - channel: email recipients: [email protected] </code></pre></div> <h4 id="anomaly-detection" class="position-relative d-flex align-items-center group"> Anomaly Detection <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="anomaly-detection" aria-haspopup="dialog" aria-label="Share link: Anomaly Detection"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"># geode.yaml audit: anomaly_detection: enabled: true # Baseline learning period learning_period: 7d detectors: # Unusual access patterns - name: access_pattern_anomaly metric: queries_per_user_per_hour sensitivity: medium alert_threshold: 3.0 # standard deviations # Unusual data volume - name: data_volume_anomaly metric: rows_returned_per_user_per_day sensitivity: high alert_threshold: 2.5 # New access patterns - name: new_label_access type: first_time_access alert_on: label </code></pre></div> <h3 id="siem-integration" class="position-relative d-flex align-items-center group"> SIEM Integration <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="siem-integration" aria-haspopup="dialog" aria-label="Share link: SIEM Integration"> Share link </button> </h3> <h4 id="splunk-integration" class="position-relative d-flex align-items-center group"> Splunk Integration <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="splunk-integration" aria-haspopup="dialog" aria-label="Share link: Splunk Integration"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Install Splunk forwarder # Add Geode audit logs as input cat > /opt/splunkforwarder/etc/system/local/inputs.conf <<EOF [monitor:///var/log/geode/audit.log] disabled = false sourcetype = geode:audit:json index = database_audit EOF # Configure Splunk to parse Geode audit events cat > /opt/splunkforwarder/etc/system/local/props.conf <<EOF [geode:audit:json] TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N%Z TIME_PREFIX = "timestamp":" KV_MODE = json EOF </code></pre></div> <h4 id="elasticsearch-integration" class="position-relative d-flex align-items-center group"> Elasticsearch Integration <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="elasticsearch-integration" aria-haspopup="dialog" aria-label="Share link: Elasticsearch Integration"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"># filebeat.yml filebeat.inputs: - type: log enabled: true paths: - /var/log/geode/audit.log json.keys_under_root: true json.add_error_key: true fields: log_type: geode_audit fields_under_root: true output.elasticsearch: hosts: ["elasticsearch:9200"] index: "geode-audit-%{+yyyy.MM.dd}" pipeline: geode-audit-pipeline # Create Elasticsearch pipeline for enrichment PUT _ingest/pipeline/geode-audit-pipeline { "processors": [ { "date": { "field": "timestamp", "formats": ["ISO8601"] } }, { "geoip": { "field": "actor.ip_address" } } ] } </code></pre></div> <h4 id="datadog-integration" class="position-relative d-flex align-items-center group"> Datadog Integration <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="datadog-integration" aria-haspopup="dialog" aria-label="Share link: Datadog Integration"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"># datadog.yaml logs: - type: file path: /var/log/geode/audit.log service: geode source: geode-audit sourcecategory: database init_config: instances: - min_collection_interval: 10 # Add custom metrics from audit events dogstatsd_mapper_profiles: - name: geode_audit prefix: geode.audit. mappings: - match: "authentication.login_success" name: "geode.audit.login.success" tags: auth_method: "$1" - match: "authentication.login_failure" name: "geode.audit.login.failure" tags: reason: "$1" </code></pre></div> <h4 id="streaming-to-kafka" class="position-relative d-flex align-items-center group"> Streaming to Kafka <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="streaming-to-kafka" aria-haspopup="dialog" aria-label="Share link: Streaming to Kafka"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"># geode.yaml audit: output: kafka: enabled: true brokers: - kafka1:9092 - kafka2:9092 - kafka3:9092 topic: geode-audit-events compression: lz4 batch_size: 100 flush_interval: 1s security: protocol: SASL_SSL sasl_mechanism: PLAIN username: ${KAFKA_USERNAME} password: ${KAFKA_PASSWORD} </code></pre></div> <h3 id="compliance-reporting" class="position-relative d-flex align-items-center group"> Compliance Reporting <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="compliance-reporting" aria-haspopup="dialog" aria-label="Share link: Compliance Reporting"> Share link </button> </h3> <h4 id="generating-compliance-reports" class="position-relative d-flex align-items-center group"> Generating Compliance Reports <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="generating-compliance-reports" aria-haspopup="dialog" aria-label="Share link: Generating Compliance Reports"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Generate SOC 2 compliance report geode audit report --framework=soc2 \ --period=Q4-2025 \ --output=soc2-q4-2025.pdf # Generate GDPR data access report geode audit report --framework=gdpr \ --data-subject=[email protected] \ --output=gdpr-access-report.pdf # Generate HIPAA audit report geode audit report --framework=hipaa \ --period=2025 \ --include-evidence=true \ --output=hipaa-2025-audit.pdf </code></pre></div> <h4 id="automated-compliance-checks" class="position-relative d-flex align-items-center group"> Automated Compliance Checks <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="automated-compliance-checks" aria-haspopup="dialog" aria-label="Share link: Automated Compliance Checks"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"># geode.yaml audit: compliance: frameworks: - gdpr - hipaa - soc2 checks: # GDPR: Records of processing - name: gdpr_article_30 frequency: daily query: | SELECT DISTINCT actor.user_id, operation.type, array_agg(DISTINCT operation.labels_accessed) FROM system.audit_log WHERE timestamp > current_timestamp() - INTERVAL '24 hours' GROUP BY actor.user_id, operation.type # HIPAA: Access to PHI - name: hipaa_phi_access frequency: daily query: | SELECT * FROM system.audit_log WHERE operation.labels_accessed && ARRAY['Patient', 'MedicalRecord'] AND timestamp > current_timestamp() - INTERVAL '24 hours' </code></pre></div> <h3 id="audit-log-security" class="position-relative d-flex align-items-center group"> Audit Log Security <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="audit-log-security" aria-haspopup="dialog" aria-label="Share link: Audit Log Security"> Share link </button> </h3> <h4 id="protecting-audit-logs" class="position-relative d-flex align-items-center group"> Protecting Audit Logs <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="protecting-audit-logs" aria-haspopup="dialog" aria-label="Share link: Protecting Audit Logs"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"># geode.yaml audit: security: # Encrypt audit logs encryption: enabled: true algorithm: aes-256-gcm key_source: hsm # Sign audit entries for integrity signing: enabled: true algorithm: ed25519 key_file: /etc/geode/keys/audit-signing.key # Immutable storage immutable: true append_only: true # Access control access: read_roles: - security_admin - compliance_auditor write_roles: [] # Only system can write </code></pre></div> <h4 id="log-integrity-verification" class="position-relative d-flex align-items-center group"> Log Integrity Verification <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="log-integrity-verification" aria-haspopup="dialog" aria-label="Share link: Log Integrity Verification"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Verify audit log integrity geode audit verify --log-file=/var/log/geode/audit.log # Output: # Verifying audit log integrity... # Total entries: 1,234,567 # Valid signatures: 1,234,567 # Chain integrity: OK # No tampering detected # Verify specific time range geode audit verify --start=2026-01-01 --end=2026-01-31 </code></pre></div> <h3 id="retention-and-archival" class="position-relative d-flex align-items-center group"> Retention and Archival <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="retention-and-archival" aria-haspopup="dialog" aria-label="Share link: Retention and Archival"> Share link </button> </h3> <h4 id="retention-policies" class="position-relative d-flex align-items-center group"> Retention Policies <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="retention-policies" aria-haspopup="dialog" aria-label="Share link: Retention Policies"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"># geode.yaml audit: retention: # Hot storage (fast access) hot: duration: 30d storage: /var/log/geode/audit # Warm storage (compressed) warm: duration: 365d storage: /archive/geode/audit compression: zstd # Cold storage (long-term archive) cold: duration: 2555d # 7 years storage: s3://audit-archive/geode encryption: true # Automatic purge after retention purge_after_retention: true </code></pre></div> <h4 id="archival-commands" class="position-relative d-flex align-items-center group"> Archival Commands <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="archival-commands" aria-haspopup="dialog" aria-label="Share link: Archival Commands"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Archive old audit logs geode audit archive --older-than=30d \ --destination=s3://audit-archive/geode \ --compress=true # Restore archived logs for investigation geode audit restore --date-range=2025-01-01:2025-03-31 \ --source=s3://audit-archive/geode \ --destination=/tmp/audit-investigation </code></pre></div> <h3 id="best-practices" class="position-relative d-flex align-items-center group"> Best Practices <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="best-practices" aria-haspopup="dialog" aria-label="Share link: Best Practices"> Share link </button> </h3> <h4 id="1-enable-audit-logging-in-production" class="position-relative d-flex align-items-center group"> 1. Enable Audit Logging in Production <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="1-enable-audit-logging-in-production" aria-haspopup="dialog" aria-label="Share link: 1. Enable Audit Logging in Production"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"># Always run with at least security-level auditing audit: enabled: true level: security # minimum for production </code></pre></div> <h4 id="2-protect-audit-log-integrity" class="position-relative d-flex align-items-center group"> 2. Protect Audit Log Integrity <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="2-protect-audit-log-integrity" aria-haspopup="dialog" aria-label="Share link: 2. Protect Audit Log Integrity"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">audit: security: signing: true immutable: true encryption: true </code></pre></div> <h4 id="3-implement-real-time-monitoring" class="position-relative d-flex align-items-center group"> 3. Implement Real-Time Monitoring <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="3-implement-real-time-monitoring" aria-haspopup="dialog" aria-label="Share link: 3. Implement Real-Time Monitoring"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">audit: alerts: - name: critical_events condition: severity = 'critical' action: notify: immediate </code></pre></div> <h4 id="4-align-retention-with-compliance" class="position-relative d-flex align-items-center group"> 4. Align Retention with Compliance <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="4-align-retention-with-compliance" aria-haspopup="dialog" aria-label="Share link: 4. Align Retention with Compliance"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"># Common retention requirements: # - GDPR: No specific requirement (balance with data minimization) # - HIPAA: 6 years # - SOC 2: 1 year minimum, 3+ years recommended # - PCI DSS: 1 year minimum audit: retention: duration: 2555d # 7 years covers most requirements </code></pre></div> <h4 id="5-regular-audit-log-review" class="position-relative d-flex align-items-center group"> 5. Regular Audit Log Review <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="5-regular-audit-log-review" aria-haspopup="dialog" aria-label="Share link: 5. Regular Audit Log Review"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Schedule regular reviews # Daily: Security events # Weekly: Access patterns # Monthly: Compliance summary # Quarterly: Full audit review </code></pre></div> <h3 id="troubleshooting" class="position-relative d-flex align-items-center group"> Troubleshooting <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="troubleshooting" aria-haspopup="dialog" aria-label="Share link: Troubleshooting"> Share link </button> </h3> <h4 id="missing-events" class="position-relative d-flex align-items-center group"> Missing Events <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="missing-events" aria-haspopup="dialog" aria-label="Share link: Missing Events"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Check audit configuration geode audit config show # Verify event types enabled geode audit config show | grep events # Check for disk space issues df -h /var/log/geode # Check audit log permissions ls -la /var/log/geode/audit.log </code></pre></div> <h4 id="performance-impact" class="position-relative d-flex align-items-center group"> Performance Impact <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="performance-impact" aria-haspopup="dialog" aria-label="Share link: Performance Impact"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"># Optimize audit performance audit: async: true buffer_size: 10000 flush_interval: 5s batch_writes: true # Exclude high-volume, low-value events exclude: - event_type: data_access operation.query: "MATCH (n) RETURN count(n)" # Health checks </code></pre></div> <h3 id="related-topics" class="position-relative d-flex align-items-center group"> Related Topics <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="related-topics" aria-haspopup="dialog" aria-label="Share link: Related Topics"> Share link </button> </h3><ul> <li><a href="/tags/compliance/" >Compliance</a> - Regulatory compliance frameworks</li> <li><a href="/tags/security/" >Security</a> - Security overview</li> <li><a href="/tags/authorization/" >Authorization</a> - Access control</li> <li><a href="/tags/rbac/" >RBAC</a> - Role-based access control</li> <li><a href="/tags/encryption/" >Encryption</a> - Data encryption</li> <li><a href="/tags/monitoring/" >Monitoring</a> - System monitoring</li> </ul> <h3 id="further-reading" class="position-relative d-flex align-items-center group"> Further Reading <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="further-reading" aria-haspopup="dialog" aria-label="Share link: Further Reading"> Share link </button> </h3><ul> <li><a href="/docs/ops/audit-logging/" >Audit Logging Guide</a> - Complete audit configuration</li> <li><a href="/docs/security/overview/" >Security Overview</a> - Meeting regulatory requirements</li> <li><a href="/docs/architecture/security-architecture/" >Security Architecture</a> - Security design</li> <li>SIEM Integration Whitepaper - Enterprise logging integration</li> </ul>

Popular

Related Articles