About audit logs
Learn how Piiano Vault collects audit logs
Many certifications and internal security policies require full traceability of sensitive information access. Vault meets this traceability requirement with comprehensive audit logs that log every operation, including read, write, search, and tokenize requests.
Logs are in JSON format and sent to stdout by default. You can configure the output destination using the PVAULT_LOG_DESTINATION) environment variable. For example, you can stream the logs to a service of your choice for further analysis and monitoring.
The logs contain metadata about the request, such as the user and role who made the request (including the Admin user), the time of the request, and the IDs that were accessed. In case of errors, the logs also contain information about the error. IAM changes are logged in further detail.
The logs do not contain sensitive data. They only contain metadata and ID references to the accessed data.
Custom data
To include custom data in the audit logs, use the custom_audit query parameter in the request. This parameter is a string that can include any custom data you want to log. For example, you can include references to external systems or other metadata.
IP address
Audit logs include the IP address of the client that made the request. This can be useful for tracking down the source of requests.
If your compliance requirements mean that you must not log IP addresses, you can disable this feature by setting the PVAULT_LOG_AUDIT_REMOTE_ADDR_ENABLE environment variable to true.
If using a load balancer or reverse proxy, the IP address is can be extracted from the X-Forwarded-For header. To enable this feature, set the PVAULT_LOG_AUDIT_REMOTE_ADDR_XFF environment variable to true.
The X-Fowarded-For header should only be trusted if it is set by a trusted reverse proxy or load balancer. If the header can be set by the client, the audited IP address may be spoofed, and you should keep the feature disabled.
Example
Here is a typical example of an audit log entry where a few lines were removed for readability.
In this example, the Admin user has requested to list several properties from the users collection.
These properties include the masked version of email.
The audit also lists which object IDs were returned.
{
"type": "audit",
"version": "0.0.1",
"product": "vault",
"service": "server",
"customer_identifier": "<customer_identifier>",
"customer_env": "<customer_env>",
"customer_region": "<customer_region>",
"dev_mode": false,
"worker_id": "364822940293324800",
"registration_uid": "<registration_uid>",
"vault_id": "1525760998873501696",
"access_reason": "AppFunctionality",
"auth": {
"idp": "api-key",
"role_name": "Admin",
"user_name": "Admin"
},
"operation_id": "list-objects",
"remote_addr": "",
"status": 200,
"trace_id": "test-trace-id",
"details": {
"collection": "auditAudit",
"properties": [
"email.mask"
],
"search_properties": [
"id"
]
},
"resources": [
"30c21ca5-4176-477c-bf36-943cb9a4e537",
"bd9bde53-1582-488d-84bf-9d44e05ffc1a"
],
"resource_type": "object",
"operation_type": "get",
"time": 1727979370680
}