ObjectStackObjectStack

Audit

Audit protocol schemas

Audit Log Architecture

Comprehensive audit logging system for compliance and security.

Supports SOX, HIPAA, GDPR, and other regulatory requirements.

Features:

  • Records all CRUD operations on data

  • Tracks authentication events (login, logout, password reset)

  • Monitors authorization changes (permissions, roles)

  • Configurable retention policies (180-day GDPR requirement)

  • Suspicious activity detection and alerting

Source: packages/spec/src/system/audit.zod.ts

TypeScript Usage

import { AuditConfig, AuditEvent, AuditEventActor, AuditEventChange, AuditEventFilter, AuditEventSeverity, AuditEventTarget, AuditEventType, AuditRetentionPolicy, AuditStorageConfig, SuspiciousActivityRule } from '@objectstack/spec/system';
import type { AuditConfig, AuditEvent, AuditEventActor, AuditEventChange, AuditEventFilter, AuditEventSeverity, AuditEventTarget, AuditEventType, AuditRetentionPolicy, AuditStorageConfig, SuspiciousActivityRule } from '@objectstack/spec/system';

// Validate data
const result = AuditConfig.parse(data);

AuditConfig

Properties

PropertyTypeRequiredDescription
namestringConfiguration name (snake_case, max 64 chars)
labelstringDisplay label
enabledbooleanEnable audit logging
eventTypesEnum<'data.create' | 'data.read' | 'data.update' | 'data.delete' | 'data.export' | 'data.import' | 'data.bulk_update' | 'data.bulk_delete' | 'auth.login' | 'auth.login_failed' | 'auth.logout' | 'auth.session_created' | 'auth.session_expired' | 'auth.password_reset' | 'auth.password_changed' | 'auth.email_verified' | 'auth.mfa_enabled' | 'auth.mfa_disabled' | 'auth.account_locked' | 'auth.account_unlocked' | 'authz.permission_granted' | 'authz.permission_revoked' | 'authz.role_assigned' | 'authz.role_removed' | 'authz.role_created' | 'authz.role_updated' | 'authz.role_deleted' | 'authz.policy_created' | 'authz.policy_updated' | 'authz.policy_deleted' | 'system.config_changed' | 'system.plugin_installed' | 'system.plugin_uninstalled' | 'system.backup_created' | 'system.backup_restored' | 'system.integration_added' | 'system.integration_removed' | 'security.access_denied' | 'security.suspicious_activity' | 'security.data_breach' | 'security.api_key_created' | 'security.api_key_revoked'>[]optionalEvent types to audit
excludeEventTypesEnum<'data.create' | 'data.read' | 'data.update' | 'data.delete' | 'data.export' | 'data.import' | 'data.bulk_update' | 'data.bulk_delete' | 'auth.login' | 'auth.login_failed' | 'auth.logout' | 'auth.session_created' | 'auth.session_expired' | 'auth.password_reset' | 'auth.password_changed' | 'auth.email_verified' | 'auth.mfa_enabled' | 'auth.mfa_disabled' | 'auth.account_locked' | 'auth.account_unlocked' | 'authz.permission_granted' | 'authz.permission_revoked' | 'authz.role_assigned' | 'authz.role_removed' | 'authz.role_created' | 'authz.role_updated' | 'authz.role_deleted' | 'authz.policy_created' | 'authz.policy_updated' | 'authz.policy_deleted' | 'system.config_changed' | 'system.plugin_installed' | 'system.plugin_uninstalled' | 'system.backup_created' | 'system.backup_restored' | 'system.integration_added' | 'system.integration_removed' | 'security.access_denied' | 'security.suspicious_activity' | 'security.data_breach' | 'security.api_key_created' | 'security.api_key_revoked'>[]optionalEvent types to exclude
minimumSeverityEnum<'debug' | 'info' | 'notice' | 'warning' | 'error' | 'critical' | 'alert' | 'emergency'>Minimum severity level
storageObjectStorage configuration
retentionPolicyObjectoptionalRetention policy
suspiciousActivityRulesObject[]Suspicious activity rules
includeSensitiveDatabooleanInclude sensitive data
redactFieldsstring[]Fields to redact
logReadsbooleanLog read operations
readSamplingRatenumberRead sampling rate
logSystemEventsbooleanLog system events
customHandlersObject[]optionalCustom event handler references
complianceObjectoptionalCompliance configuration

AuditEvent

Properties

PropertyTypeRequiredDescription
idstringAudit event ID
eventTypeEnum<'data.create' | 'data.read' | 'data.update' | 'data.delete' | 'data.export' | 'data.import' | 'data.bulk_update' | 'data.bulk_delete' | 'auth.login' | 'auth.login_failed' | 'auth.logout' | 'auth.session_created' | 'auth.session_expired' | 'auth.password_reset' | 'auth.password_changed' | 'auth.email_verified' | 'auth.mfa_enabled' | 'auth.mfa_disabled' | 'auth.account_locked' | 'auth.account_unlocked' | 'authz.permission_granted' | 'authz.permission_revoked' | 'authz.role_assigned' | 'authz.role_removed' | 'authz.role_created' | 'authz.role_updated' | 'authz.role_deleted' | 'authz.policy_created' | 'authz.policy_updated' | 'authz.policy_deleted' | 'system.config_changed' | 'system.plugin_installed' | 'system.plugin_uninstalled' | 'system.backup_created' | 'system.backup_restored' | 'system.integration_added' | 'system.integration_removed' | 'security.access_denied' | 'security.suspicious_activity' | 'security.data_breach' | 'security.api_key_created' | 'security.api_key_revoked'>Event type
severityEnum<'debug' | 'info' | 'notice' | 'warning' | 'error' | 'critical' | 'alert' | 'emergency'>Event severity
timestampstringEvent timestamp
actorObjectEvent actor
targetObjectoptionalEvent target
descriptionstringEvent description
changesObject[]optionalList of changes
resultEnum<'success' | 'failure' | 'partial'>Action result
errorMessagestringoptionalError message
tenantIdstringoptionalTenant identifier
requestIdstringoptionalRequest ID for tracing
metadataRecord<string, any>optionalAdditional metadata
locationObjectoptionalGeographic location

AuditEventActor

Properties

PropertyTypeRequiredDescription
typeEnum<'user' | 'system' | 'service' | 'api_client' | 'integration'>Actor type
idstringActor identifier
namestringoptionalActor display name
emailstringoptionalActor email address
ipAddressstringoptionalActor IP address
userAgentstringoptionalUser agent string

AuditEventChange

Properties

PropertyTypeRequiredDescription
fieldstringChanged field name
oldValueanyoptionalPrevious value
newValueanyoptionalNew value

AuditEventFilter

Properties

PropertyTypeRequiredDescription
eventTypesEnum<'data.create' | 'data.read' | 'data.update' | 'data.delete' | 'data.export' | 'data.import' | 'data.bulk_update' | 'data.bulk_delete' | 'auth.login' | 'auth.login_failed' | 'auth.logout' | 'auth.session_created' | 'auth.session_expired' | 'auth.password_reset' | 'auth.password_changed' | 'auth.email_verified' | 'auth.mfa_enabled' | 'auth.mfa_disabled' | 'auth.account_locked' | 'auth.account_unlocked' | 'authz.permission_granted' | 'authz.permission_revoked' | 'authz.role_assigned' | 'authz.role_removed' | 'authz.role_created' | 'authz.role_updated' | 'authz.role_deleted' | 'authz.policy_created' | 'authz.policy_updated' | 'authz.policy_deleted' | 'system.config_changed' | 'system.plugin_installed' | 'system.plugin_uninstalled' | 'system.backup_created' | 'system.backup_restored' | 'system.integration_added' | 'system.integration_removed' | 'security.access_denied' | 'security.suspicious_activity' | 'security.data_breach' | 'security.api_key_created' | 'security.api_key_revoked'>[]optionalEvent types to include
severitiesEnum<'debug' | 'info' | 'notice' | 'warning' | 'error' | 'critical' | 'alert' | 'emergency'>[]optionalSeverity levels to include
actorIdstringoptionalActor identifier
tenantIdstringoptionalTenant identifier
timeRangeObjectoptionalTime range filter
resultEnum<'success' | 'failure' | 'partial'>optionalResult status
searchQuerystringoptionalSearch query
customFiltersRecord<string, any>optionalCustom filters

AuditEventSeverity

Allowed Values

  • debug
  • info
  • notice
  • warning
  • error
  • critical
  • alert
  • emergency

AuditEventTarget

Properties

PropertyTypeRequiredDescription
typestringTarget type
idstringTarget identifier
namestringoptionalTarget display name
metadataRecord<string, any>optionalTarget metadata

AuditEventType

Allowed Values

  • data.create
  • data.read
  • data.update
  • data.delete
  • data.export
  • data.import
  • data.bulk_update
  • data.bulk_delete
  • auth.login
  • auth.login_failed
  • auth.logout
  • auth.session_created
  • auth.session_expired
  • auth.password_reset
  • auth.password_changed
  • auth.email_verified
  • auth.mfa_enabled
  • auth.mfa_disabled
  • auth.account_locked
  • auth.account_unlocked
  • authz.permission_granted
  • authz.permission_revoked
  • authz.role_assigned
  • authz.role_removed
  • authz.role_created
  • authz.role_updated
  • authz.role_deleted
  • authz.policy_created
  • authz.policy_updated
  • authz.policy_deleted
  • system.config_changed
  • system.plugin_installed
  • system.plugin_uninstalled
  • system.backup_created
  • system.backup_restored
  • system.integration_added
  • system.integration_removed
  • security.access_denied
  • security.suspicious_activity
  • security.data_breach
  • security.api_key_created
  • security.api_key_revoked

AuditRetentionPolicy

Properties

PropertyTypeRequiredDescription
retentionDaysintegerRetention period in days
archiveAfterRetentionbooleanArchive logs after retention period
archiveStorageObjectoptionalArchive storage configuration
customRetentionRecord<string, integer>optionalCustom retention by event type
minimumRetentionDaysintegeroptionalMinimum retention for compliance

AuditStorageConfig

Properties

PropertyTypeRequiredDescription
typeEnum<'database' | 'elasticsearch' | 'mongodb' | 'clickhouse' | 's3' | 'gcs' | 'azure_blob' | 'custom'>Storage backend type
connectionStringstringoptionalConnection string
configRecord<string, any>optionalStorage-specific configuration
bufferEnabledbooleanEnable buffering
bufferSizeintegerBuffer size
flushIntervalSecondsintegerFlush interval in seconds
compressionbooleanEnable compression

SuspiciousActivityRule

Properties

PropertyTypeRequiredDescription
idstringRule identifier
namestringRule name
descriptionstringoptionalRule description
enabledbooleanRule enabled status
eventTypesEnum<'data.create' | 'data.read' | 'data.update' | 'data.delete' | 'data.export' | 'data.import' | 'data.bulk_update' | 'data.bulk_delete' | 'auth.login' | 'auth.login_failed' | 'auth.logout' | 'auth.session_created' | 'auth.session_expired' | 'auth.password_reset' | 'auth.password_changed' | 'auth.email_verified' | 'auth.mfa_enabled' | 'auth.mfa_disabled' | 'auth.account_locked' | 'auth.account_unlocked' | 'authz.permission_granted' | 'authz.permission_revoked' | 'authz.role_assigned' | 'authz.role_removed' | 'authz.role_created' | 'authz.role_updated' | 'authz.role_deleted' | 'authz.policy_created' | 'authz.policy_updated' | 'authz.policy_deleted' | 'system.config_changed' | 'system.plugin_installed' | 'system.plugin_uninstalled' | 'system.backup_created' | 'system.backup_restored' | 'system.integration_added' | 'system.integration_removed' | 'security.access_denied' | 'security.suspicious_activity' | 'security.data_breach' | 'security.api_key_created' | 'security.api_key_revoked'>[]Event types to monitor
conditionObjectDetection condition
actionsEnum<'alert' | 'lock_account' | 'block_ip' | 'require_mfa' | 'log_critical' | 'webhook'>[]Actions to take
alertSeverityEnum<'debug' | 'info' | 'notice' | 'warning' | 'error' | 'critical' | 'alert' | 'emergency'>Alert severity
notificationsObjectoptionalNotification configuration

On this page

TypeScript UsageAuditConfigPropertiesAuditEventPropertiesAuditEventActorPropertiesAuditEventChangePropertiesAuditEventFilterPropertiesAuditEventSeverityAllowed ValuesAuditEventTargetPropertiesAuditEventTypeAllowed ValuesAuditRetentionPolicyPropertiesAuditStorageConfigPropertiesSuspiciousActivityRuleProperties