Audit Logging & Compliance

Audit logging in Geode provides comprehensive tracking of all database operations, creating an immutable record of who accessed what data, when they accessed it, and what changes they made. This capability is essential for security monitoring, compliance requirements, forensic analysis, and operational troubleshooting. <h3 id="overview-of-audit-logging" class="position-relative d-flex align-items-center group"> Overview of Audit Logging <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="overview-of-audit-logging" aria-haspopup="dialog" aria-label="Share link: Overview of Audit Logging"> Share link </button> </h3><div id="headingShareModal" class="heading-share-modal" role="dialog" aria-modal="true" aria-labelledby="headingShareTitle" hidden> <div class="hsm-dialog" role="document"> <div class="hsm-header"> <h2 id="headingShareTitle" class="h6 mb-0 fw-bold">Share this section</h2> <button type="button" class="hsm-close" aria-label="Close"> </button> </div> <div class="hsm-body"> <label for="headingShareInput" class="form-label small text-muted mb-1 text-uppercase fw-bold" style="font-size: 0.7rem; letter-spacing: 0.5px;">Permalink</label> <div class="input-group mb-4 hsm-url-group"> <input id="headingShareInput" type="text" class="form-control font-monospace" readonly aria-readonly="true" style="font-size: 0.85rem;" /> <button class="btn btn-primary hsm-copy" type="button" aria-label="Copy" title="Copy"> </button> </div> <div class="small fw-bold mb-2 text-muted text-uppercase" style="font-size: 0.7rem; letter-spacing: 0.5px;">Share via</div> <div class="hsm-share-grid"> <a id="share-twitter" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer"> Twitter </a> <a id="share-linkedin" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer"> LinkedIn </a> <a id="share-facebook" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer"> Facebook </a> </div> </div> </div> </div> <style> .heading-share-modal { position: fixed; inset: 0; display: flex; justify-content: center; align-items: center; background: rgba(0, 0, 0, 0.6); z-index: 1050; padding: 1rem; backdrop-filter: blur(4px); -webkit-backdrop-filter: blur(4px); } .heading-share-modal[hidden] { display: none !important; } .hsm-dialog { max-width: 420px; width: 100%; background: var(--bs-body-bg, #fff); color: var(--bs-body-color, #212529); border: 1px solid var(--bs-border-color, rgba(0,0,0,0.1)); border-radius: 1rem; box-shadow: 0 25px 50px -12px rgba(0, 0, 0, 0.25); overflow: hidden; animation: hsm-fade-in 0.2s ease-out; } @keyframes hsm-fade-in { from { opacity: 0; transform: scale(0.95); } to { opacity: 1; transform: scale(1); } } [data-bs-theme="dark"] .hsm-dialog { background: #1e293b; border-color: rgba(255,255,255,0.1); color: #f8f9fa; } .hsm-header { display: flex; justify-content: space-between; align-items: center; padding: 1rem 1.5rem; border-bottom: 1px solid var(--bs-border-color, rgba(0,0,0,0.1)); background: rgba(0,0,0,0.02); } [data-bs-theme="dark"] .hsm-header { background: rgba(255,255,255,0.02); border-color: rgba(255,255,255,0.1); } .hsm-close { background: transparent; border: none; color: inherit; opacity: 0.5; padding: 0.25rem 0.5rem; border-radius: 0.25rem; font-size: 1.2rem; line-height: 1; transition: opacity 0.2s; } .hsm-close:hover { opacity: 1; } .hsm-body { padding: 1.5rem; } .hsm-url-group { display: flex !important; align-items: stretch; } .hsm-url-group .form-control { flex: 1; min-width: 0; margin: 0; background: var(--bs-secondary-bg, #f8f9fa); border-color: var(--bs-border-color, #dee2e6); border-top-right-radius: 0; border-bottom-right-radius: 0; height: 42px; } .hsm-url-group .btn { flex: 0 0 auto; margin: 0; margin-left: -1px; border-top-left-radius: 0; border-bottom-left-radius: 0; height: 42px; display: flex; align-items: center; justify-content: center; padding: 0 1.25rem; z-index: 2; } [data-bs-theme="dark"] .hsm-url-group .form-control { background: #0f172a; border-color: #334155; color: #e2e8f0; } .hsm-share-grid { display: flex; flex-direction: column; gap: 0.5rem; } .hsm-share-grid .btn { display: flex; align-items: center; justify-content: center; font-size: 0.9rem; padding: 0.6rem; border-color: var(--bs-border-color); width: 100%; } [data-bs-theme="dark"] .hsm-share-grid .btn { color: #e2e8f0; border-color: #475569; } [data-bs-theme="dark"] .hsm-share-grid .btn:hover { background: #334155; border-color: #cbd5e1; } </style> <script> (function(){ const modal = document.getElementById('headingShareModal'); if(!modal) return; const input = modal.querySelector('#headingShareInput'); const copyBtn = modal.querySelector('.hsm-copy'); const twitter = modal.querySelector('#share-twitter'); const linkedin = modal.querySelector('#share-linkedin'); const facebook = modal.querySelector('#share-facebook'); const closeBtn = modal.querySelector('.hsm-close'); let lastFocus=null; let trapBound=false; function buildUrl(id){ return window.location.origin + window.location.pathname + '#' + id; } function isOpen(){ return !modal.hasAttribute('hidden'); } function hydrate(id){ const url=buildUrl(id); input.value=url; const enc=encodeURIComponent(url); const text=encodeURIComponent(document.title); if(twitter) twitter.href=`https://twitter.com/intent/tweet?url=${enc}&text=${text}`; if(linkedin) linkedin.href=`https://www.linkedin.com/sharing/share-offsite/?url=${enc}`; if(facebook) facebook.href=`https://www.facebook.com/sharer/sharer.php?u=${enc}`; } function openModal(id){ lastFocus=document.activeElement; hydrate(id); if(!isOpen()){ modal.removeAttribute('hidden'); } requestAnimationFrame(()=>{ input.focus(); }); trapFocus(); } function closeModal(){ if(!isOpen()) return; modal.setAttribute('hidden',''); if(lastFocus && typeof lastFocus.focus==='function') lastFocus.focus(); } function copyCurrent(){ try{ navigator.clipboard.writeText(input.value).then(()=>feedback(true),()=>fallback()); } catch(e){ fallback(); } } function fallback(){ input.select(); try{ document.execCommand('copy'); feedback(true);}catch(e){ feedback(false);} } function feedback(ok){ if(!copyBtn) return; const icon=copyBtn.querySelector('i'); if(!icon) return; const prev=copyBtn.getAttribute('data-prev')||icon.className; if(!copyBtn.getAttribute('data-prev')) copyBtn.setAttribute('data-prev',prev); icon.className= ok ? 'fa-duotone fa-clipboard-check':'fa-duotone fa-circle-exclamation'; setTimeout(()=>{ icon.className=prev; },1800); } function handleShareClick(e){ e.preventDefault(); const btn=e.currentTarget; const id=btn.getAttribute('data-share-target'); if(id) openModal(id); } function bindShareButtons(){ document.querySelectorAll('.h-share').forEach(btn=>{ if(!btn.dataset.hShareBound){ btn.addEventListener('click', handleShareClick); btn.dataset.hShareBound='1'; } }); } bindShareButtons(); if(document.readyState==='loading'){ document.addEventListener('DOMContentLoaded', bindShareButtons); } else { requestAnimationFrame(bindShareButtons); } document.addEventListener('click', function(e){ const shareBtn=e.target.closest && e.target.closest('.h-share'); if(shareBtn && !shareBtn.dataset.hShareBound){ handleShareClick.call(shareBtn, e); } }, true); document.addEventListener('click', e=>{ if(e.target===modal) closeModal(); if(e.target.closest && e.target.closest('.hsm-close')){ e.preventDefault(); closeModal(); } if(copyBtn && (e.target===copyBtn || (e.target.closest && e.target.closest('.hsm-copy')))) { e.preventDefault(); copyCurrent(); } }); document.addEventListener('keydown', e=>{ if(e.key==='Escape' && isOpen()) closeModal(); }); function trapFocus(){ if(trapBound) return; trapBound=true; modal.addEventListener('keydown', f=>{ if(f.key==='Tab' && isOpen()){ const focusable=[...modal.querySelectorAll('a[href],button,input,textarea,select,[tabindex]:not([tabindex="-1"])')].filter(el=>!el.hasAttribute('disabled')); if(!focusable.length) return; const first=focusable[0]; const last=focusable[focusable.length-1]; if(f.shiftKey && document.activeElement===first){ f.preventDefault(); last.focus(); } else if(!f.shiftKey && document.activeElement===last){ f.preventDefault(); first.focus(); } } }); } if(closeBtn) closeBtn.addEventListener('click', e=>{ e.preventDefault(); closeModal(); }); })(); </script>Geode’s audit logging system captures detailed information about every database operation, including: <ul> <li>User Authentication: Login attempts, authentication failures, session creation and termination</li> <li>Query Execution: All GQL queries with parameters, execution time, and results metadata</li> <li>Data Modifications: INSERT, UPDATE, DELETE operations on nodes and relationships</li> <li>Schema Changes: Graph type definitions, constraint modifications, index creation</li> <li>Access Control: Permission checks, authorization failures, role changes</li> <li>Configuration Changes: Server settings, security policy updates, feature toggles</li> <li>Administrative Actions: User management, backup operations, maintenance tasks</li> </ul> All audit events include: <ul> <li>Timestamp with microsecond precision</li> <li>User identity and session information</li> <li>Client IP address and connection details</li> <li>Operation type and affected resources</li> <li>Success or failure status</li> <li>Detailed error information for failures</li> </ul> <h3 id="enabling-audit-logging" class="position-relative d-flex align-items-center group"> Enabling Audit Logging <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="enabling-audit-logging" aria-haspopup="dialog" aria-label="Share link: Enabling Audit Logging"> Share link </button> </h3>Audit logging is configured through server settings and can be enabled at various levels of granularity: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Enable comprehensive audit logging geode serve --audit-log-level=comprehensive \ --audit-log-file=/var/log/geode/audit.log \ --audit-log-format=json # Enable audit logging for specific operations only geode serve --audit-log-level=security \ --audit-events=auth,access,admin # Configure audit log rotation geode serve --audit-log-max-size=100MB \ --audit-log-max-files=10 \ --audit-log-compress=true </code></pre></div> <h4 id="audit-log-levels" class="position-relative d-flex align-items-center group"> Audit Log Levels <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="audit-log-levels" aria-haspopup="dialog" aria-label="Share link: Audit Log Levels"> Share link </button> </h4>Comprehensive: Logs all database operations including queries, data modifications, schema changes, and administrative actions. Use for strict compliance environments. Security: Logs authentication, authorization, access control, and security-related events. Recommended for most production deployments. Compliance: Logs data access and modifications required for regulatory compliance (GDPR, HIPAA, SOC2). Optimized balance between detail and performance. Minimal: Logs only critical security events like authentication failures, authorization denials, and administrative actions. <h3 id="audit-log-format" class="position-relative d-flex align-items-center group"> Audit Log Format <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="audit-log-format" aria-haspopup="dialog" aria-label="Share link: Audit Log Format"> Share link </button> </h3>Geode supports multiple audit log formats to integrate with existing security information and event management (SIEM) systems: <h4 id="json-format-recommended" class="position-relative d-flex align-items-center group"> JSON Format (Recommended) <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="json-format-recommended" aria-haspopup="dialog" aria-label="Share link: JSON Format (Recommended)"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json">{ "timestamp": "2026-01-24T10:15:32.123456Z", "event_type": "query_execution", "event_id": "evt_9k2j8h3g7f6d5s4a", "session_id": "sess_abc123def456", "user": { "username": "[email protected]", "roles": ["data_analyst", "viewer"], "ip_address": "192.168.1.100", "user_agent": "geode-client-python/0.3.19" }, "operation": { "type": "SELECT", "query": "MATCH (p:Person)-[:WORKS_AT]->(c:Company) WHERE c.industry = $industry RETURN p.name, c.name", "parameters": {"industry": "technology"}, "execution_time_ms": 45, "rows_returned": 127, "bytes_transferred": 8192 }, "result": { "status": "success", "rows_affected": 0, "error": null }, "metadata": { "graph": "corporate_network", "transaction_id": "txn_xyz789", "query_plan_hash": "hash_abc123" } } </code></pre></div> <h4 id="syslog-format" class="position-relative d-flex align-items-center group"> Syslog Format <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="syslog-format" aria-haspopup="dialog" aria-label="Share link: Syslog Format"> Share link </button> </h4>For integration with traditional logging infrastructure: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback">Jan 24 10:15:32 geode-server audit[12345]: event=query_execution [email protected] session=sess_abc123 query="MATCH (p:Person)..." status=success rows=127 duration_ms=45 </code></pre></div> <h4 id="common-event-format-cef" class="position-relative d-flex align-items-center group"> Common Event Format (CEF) <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="common-event-format-cef" aria-haspopup="dialog" aria-label="Share link: Common Event Format (CEF)"> Share link </button> </h4>For SIEM systems that support CEF: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback">CEF:0|CodePros|Geode|0.2.18|query_execution|Query Executed|5|src=192.168.1.100 [email protected] act=SELECT outcome=success rt=Jan 24 2026 10:15:32 cs1=sess_abc123 cs1Label=SessionID </code></pre></div> <h3 id="compliance-requirements" class="position-relative d-flex align-items-center group"> Compliance Requirements <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="compliance-requirements" aria-haspopup="dialog" aria-label="Share link: Compliance Requirements"> Share link </button> </h3>Geode’s audit logging helps organizations meet various regulatory compliance requirements: <h4 id="gdpr-compliance" class="position-relative d-flex align-items-center group"> GDPR Compliance <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="gdpr-compliance" aria-haspopup="dialog" aria-label="Share link: GDPR Compliance"> Share link </button> </h4>The General Data Protection Regulation requires organizations to maintain records of data processing activities: <ul> <li>Article 30 (Records of Processing): Audit logs document all personal data access and modifications</li> <li>Article 32 (Security of Processing): Logs provide evidence of security measures and breach detection</li> <li>Article 33 (Breach Notification): Detailed logs enable rapid breach assessment and reporting</li> </ul> Example GDPR-focused audit configuration: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash">geode serve --audit-log-level=compliance \ --audit-events=data_access,data_modification,data_export \ --audit-retention-days=2555 # 7 years as recommended --audit-include-pii-metadata=true </code></pre></div> <h4 id="hipaa-compliance" class="position-relative d-flex align-items-center group"> HIPAA Compliance <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="hipaa-compliance" aria-haspopup="dialog" aria-label="Share link: HIPAA Compliance"> Share link </button> </h4>The Health Insurance Portability and Accountability Act requires covered entities to maintain audit logs: <ul> <li>164.308(a)(1)(ii)(D): Information system activity review</li> <li>164.312(b): Audit controls to record and examine system activity</li> <li>164.312(d): Person or entity authentication</li> </ul> HIPAA-compliant audit logging configuration: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash">geode serve --audit-log-level=comprehensive \ --audit-retention-days=2555 \ --audit-events=all \ --audit-phi-access=true \ --audit-minimum-necessary=true </code></pre></div> <h4 id="soc-2-compliance" class="position-relative d-flex align-items-center group"> SOC 2 Compliance <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="soc-2-compliance" aria-haspopup="dialog" aria-label="Share link: SOC 2 Compliance"> Share link </button> </h4>Service Organization Control 2 requires detailed logging for security monitoring: <ul> <li>CC6.1: Logical and physical access controls</li> <li>CC6.2: Prior to issuing system credentials</li> <li>CC7.2: System monitoring to detect security breaches</li> </ul> SOC 2 audit configuration: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash">geode serve --audit-log-level=security \ --audit-events=auth,access,config,admin \ --audit-log-immutable=true \ --audit-log-encryption=aes-256-gcm </code></pre></div> <h3 id="query-audit-examples" class="position-relative d-flex align-items-center group"> Query Audit Examples <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="query-audit-examples" aria-haspopup="dialog" aria-label="Share link: Query Audit Examples"> Share link </button> </h3>Track specific query patterns for compliance or security monitoring: <h4 id="tracking-personal-data-access" class="position-relative d-flex align-items-center group"> Tracking Personal Data Access <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="tracking-personal-data-access" aria-haspopup="dialog" aria-label="Share link: Tracking Personal Data Access"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql">-- All queries accessing Person nodes are automatically logged MATCH (p:Person {email: 'user@example.com'}) RETURN p.name, p.ssn, p.medical_records; -- Audit log entry includes: -- - Full query text -- - Parameters used -- - Rows returned -- - Sensitive fields accessed (ssn, medical_records) -- - User who executed the query -- - Timestamp and session information </code></pre></div> <h4 id="monitoring-data-modifications" class="position-relative d-flex align-items-center group"> Monitoring Data Modifications <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="monitoring-data-modifications" aria-haspopup="dialog" aria-label="Share link: Monitoring Data Modifications"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql">-- Data modifications are logged with before/after values MATCH (p:Person {id: $person_id}) SET p.salary = $new_salary RETURN p; -- Audit log captures: -- - Original salary value: $85000 -- - New salary value: $92000 -- - User who made the change -- - Timestamp and justification (if provided) </code></pre></div> <h4 id="detecting-unauthorized-access-attempts" class="position-relative d-flex align-items-center group"> Detecting Unauthorized Access Attempts <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="detecting-unauthorized-access-attempts" aria-haspopup="dialog" aria-label="Share link: Detecting Unauthorized Access Attempts"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql">-- Failed authorization attempts are logged MATCH (p:Person) WHERE p.department = 'Executive' RETURN p.salary; -- If user lacks permission, audit log shows: -- - Attempted query -- - User identity -- - Required permissions: ['read:executive_data'] -- - Actual permissions: ['read:general_data'] -- - Denial reason and timestamp </code></pre></div> <h3 id="audit-log-management" class="position-relative d-flex align-items-center group"> Audit Log Management <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="audit-log-management" aria-haspopup="dialog" aria-label="Share link: Audit Log Management"> Share link </button> </h3> <h4 id="log-rotation-and-retention" class="position-relative d-flex align-items-center group"> Log Rotation and Retention <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="log-rotation-and-retention" aria-haspopup="dialog" aria-label="Share link: Log Rotation and Retention"> Share link </button> </h4>Configure automatic log rotation to prevent disk space issues: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Rotate logs daily, keep 90 days geode serve --audit-log-rotate=daily \ --audit-log-retention-days=90 \ --audit-log-compress=gzip # Rotate when logs reach size limit geode serve --audit-log-max-size=500MB \ --audit-log-max-files=20 </code></pre></div> <h4 id="secure-log-storage" class="position-relative d-flex align-items-center group"> Secure Log Storage <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="secure-log-storage" aria-haspopup="dialog" aria-label="Share link: Secure Log Storage"> Share link </button> </h4>Protect audit logs from tampering: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Enable log encryption and integrity checking geode serve --audit-log-encryption=aes-256-gcm \ --audit-log-signing=true \ --audit-log-key-file=/etc/geode/audit-key.pem # Store logs on write-once storage geode serve --audit-log-file=/mnt/worm-storage/geode-audit.log \ --audit-log-immutable=true </code></pre></div> <h4 id="log-analysis-and-monitoring" class="position-relative d-flex align-items-center group"> Log Analysis and Monitoring <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="log-analysis-and-monitoring" aria-haspopup="dialog" aria-label="Share link: Log Analysis and Monitoring"> Share link </button> </h4>Query audit logs for security monitoring: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Search for failed authentication attempts jq 'select(.event_type == "authentication" and .result.status == "failure")' \ /var/log/geode/audit.log # Find queries accessing sensitive data jq 'select(.operation.query | contains("ssn") or contains("medical"))' \ /var/log/geode/audit.log # Identify unusual access patterns jq 'select(.operation.rows_returned > 10000)' \ /var/log/geode/audit.log | jq -s 'group_by(.user.username)' </code></pre></div> <h3 id="integration-with-siem-systems" class="position-relative d-flex align-items-center group"> Integration with SIEM Systems <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="integration-with-siem-systems" aria-haspopup="dialog" aria-label="Share link: Integration with SIEM Systems"> Share link </button> </h3> <h4 id="splunk-integration" class="position-relative d-flex align-items-center group"> Splunk Integration <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="splunk-integration" aria-haspopup="dialog" aria-label="Share link: Splunk Integration"> Share link </button> </h4>Forward audit logs to Splunk for centralized monitoring: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Configure Splunk forwarder cat > /opt/splunkforwarder/etc/system/local/inputs.conf <<EOF [monitor:///var/log/geode/audit.log] disabled = false sourcetype = geode:audit:json index = database_audit EOF </code></pre></div> <h4 id="elasticsearch-integration" class="position-relative d-flex align-items-center group"> Elasticsearch Integration <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="elasticsearch-integration" aria-haspopup="dialog" aria-label="Share link: Elasticsearch Integration"> Share link </button> </h4>Send audit logs to Elasticsearch: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Use Filebeat to ship logs cat > /etc/filebeat/filebeat.yml <<EOF filebeat.inputs: - type: log enabled: true paths: - /var/log/geode/audit.log json.keys_under_root: true json.add_error_key: true output.elasticsearch: hosts: ["elasticsearch:9200"] index: "geode-audit-%{+yyyy.MM.dd}" EOF </code></pre></div> <h4 id="datadog-integration" class="position-relative d-flex align-items-center group"> Datadog Integration <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="datadog-integration" aria-haspopup="dialog" aria-label="Share link: Datadog Integration"> Share link </button> </h4>Stream audit events to Datadog: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Configure Datadog agent cat > /etc/datadog-agent/conf.d/geode.d/conf.yaml <<EOF logs: - type: file path: /var/log/geode/audit.log service: geode source: geode-audit sourcecategory: database tags: - env:production - database:graph EOF </code></pre></div> <h3 id="troubleshooting-audit-logging" class="position-relative d-flex align-items-center group"> Troubleshooting Audit Logging <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="troubleshooting-audit-logging" aria-haspopup="dialog" aria-label="Share link: Troubleshooting Audit Logging"> Share link </button> </h3> <h4 id="missing-audit-entries" class="position-relative d-flex align-items-center group"> Missing Audit Entries <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="missing-audit-entries" aria-haspopup="dialog" aria-label="Share link: Missing Audit Entries"> Share link </button> </h4>If expected events are not appearing in audit logs: <ol> <li>Check audit level: Ensure the event type is included in your configured audit level</li> <li>Verify file permissions: Audit log file must be writable by the Geode process</li> <li>Check disk space: Insufficient disk space prevents log writes</li> <li>Review filters: Event filters may be excluding the events you expect</li> </ol> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Enable verbose audit logging for debugging geode serve --audit-log-level=comprehensive --audit-debug=true </code></pre></div> <h4 id="performance-impact" class="position-relative d-flex align-items-center group"> Performance Impact <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="performance-impact" aria-haspopup="dialog" aria-label="Share link: Performance Impact"> Share link </button> </h4>Audit logging has minimal performance impact, but comprehensive logging can affect high-throughput systems: <ul> <li>Async logging: Logs are written asynchronously to avoid blocking queries</li> <li>Buffering: Events are buffered in memory before writing to disk</li> <li>Batch writes: Multiple events written in single I/O operations</li> </ul> Optimize audit logging performance: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Configure larger buffer for high-throughput systems geode serve --audit-log-buffer-size=10MB \ --audit-log-flush-interval=5s </code></pre></div> <h4 id="log-analysis-performance" class="position-relative d-flex align-items-center group"> Log Analysis Performance <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="log-analysis-performance" aria-haspopup="dialog" aria-label="Share link: Log Analysis Performance"> Share link </button> </h4>For large audit logs, use indexed search tools: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Index logs with lnav for fast searching lnav /var/log/geode/audit.log # Use jq with streaming for large files cat audit.log | jq -c 'select(.user.username == "[email protected]")' </code></pre></div> <h3 id="best-practices" class="position-relative d-flex align-items-center group"> Best Practices <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="best-practices" aria-haspopup="dialog" aria-label="Share link: Best Practices"> Share link </button> </h3><ol> <li>Enable audit logging in production: Always run production systems with at least security-level auditing</li> <li>Protect audit logs: Store logs on separate storage with restricted access and encryption</li> <li>Regular review: Implement automated monitoring and regular manual review of audit logs</li> <li>Retention policies: Align retention periods with compliance requirements (typically 7 years)</li> <li>Test log integrity: Regularly verify that audit logs are being written correctly and are tamper-proof</li> <li>Document procedures: Maintain clear procedures for accessing and analyzing audit logs</li> <li>Monitor log volume: Set up alerts for unusual log volume that might indicate an attack or misconfiguration</li> </ol> <h3 id="related-topics" class="position-relative d-flex align-items-center group"> Related Topics <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="related-topics" aria-haspopup="dialog" aria-label="Share link: Related Topics"> Share link </button> </h3><ul> <li><a href="/tags/compliance/" >Compliance</a> - Regulatory compliance frameworks (GDPR, HIPAA, SOC2)</li> <li><a href="/tags/row-level-security/" >Row-Level Security</a> - Fine-grained access control with audit integration</li> <li><a href="/tags/governance/" >Governance</a> - Data governance policies and enforcement</li> <li><a href="/tags/encryption/" >Encryption</a> - Data encryption at rest and in transit</li> <li><a href="/docs/security/overview/" >Security Overview</a> - Security documentation</li> </ul>

Popular

Related Articles

Security and Compliance Guide

Monitoring and Telemetry