AIARCOASC Docs

Audit log

Every state-change logged with actor, IP, request-ID. 365-day hot retention; 7-year cold archive.

What it is

Every state-changing API call (and every privileged read, like secret reveal) emits an audit event with:

  • actor — user email or API-key ID.
  • tenant_id, project_id, resource_id.
  • event — namespace like pod.created, key.revoked, secret.revealed, webhook.delivery.failed.
  • ip, ua — source address and user agent.
  • request_id — matches the X-Request-ID header.
  • ts — RFC 3339 UTC.

Retention: 365 days hot (queryable), 7 years cold archive (exportable on request).

Export: stream to your SIEM via POST /v1/audit/events/stream (push) or pull historical events via GET /v1/audit/events (cursor-paginated).

When to use it

  • Investigate who did what when.
  • Stream to any SIEM via generic webhook or syslog forwarder; common formats (CEF, JSON-lines) are supported.
  • Satisfy SOC-2 / ISO-27001 control evidence.

Quickstart

asc audit events list --actor alice@example.com --since -24h
asc audit events stream --target webhook --url https://siem.example.com/asc
for ev in client.audit.events.list_all(actor='alice@example.com', since='-24h'):
    print(ev.ts, ev.event, ev.resource_id)
for await (const ev of client.audit.events.listAll({ actor: 'alice@example.com', since: '-24h' })) console.log(ev);

Limits & quotas

LimitDefaultBurstNotes
Hot retention365 days
Cold retention7 yearsExport on request
Stream lag<60 s p99

API surface

  • GET /v1/audit/events
  • POST /v1/audit/events/stream
  • POST /v1/audit/events/export