Audit log
Every state-change logged with actor, IP, request-ID. 365-day hot retention; 7-year cold archive.
What it is
Every state-changing API call (and every privileged read, like secret reveal) emits an audit event with:
actor— user email or API-key ID.tenant_id,project_id,resource_id.event— namespace likepod.created,key.revoked,secret.revealed,webhook.delivery.failed.ip,ua— source address and user agent.request_id— matches theX-Request-IDheader.ts— RFC 3339 UTC.
Retention: 365 days hot (queryable), 7 years cold archive (exportable on request).
Export: stream to your SIEM via POST /v1/audit/events/stream (push) or pull historical events via GET /v1/audit/events (cursor-paginated).
When to use it
- Investigate who did what when.
- Stream to any SIEM via generic webhook or syslog forwarder; common formats (CEF, JSON-lines) are supported.
- Satisfy SOC-2 / ISO-27001 control evidence.
Quickstart
asc audit events list --actor alice@example.com --since -24h
asc audit events stream --target webhook --url https://siem.example.com/ascfor ev in client.audit.events.list_all(actor='alice@example.com', since='-24h'):
print(ev.ts, ev.event, ev.resource_id)for await (const ev of client.audit.events.listAll({ actor: 'alice@example.com', since: '-24h' })) console.log(ev);Limits & quotas
| Limit | Default | Burst | Notes |
|---|---|---|---|
| Hot retention | 365 days | — | |
| Cold retention | 7 years | — | Export on request |
| Stream lag | <60 s p99 | — |
API surface
GET /v1/audit/eventsPOST /v1/audit/events/streamPOST /v1/audit/events/export