Audit log¶
Every state-changing action in Ampora produces an audit event. The audit log is the single most important compliance and incident-response surface — when in doubt, the audit log answers it.
What an audit event contains¶
| Field | Meaning |
|---|---|
actor | OIDC subject of the user (or system for background services) |
actor_role | Role at time of action |
tenant | Tenant the action took place in |
entity_type | E.g. Configuration, Rollout, Group, Token, Policy, SigningKey |
entity_id | UUID of the affected entity |
action | E.g. Created, Edited, Published, Started, Paused, Approved |
before | JSON snapshot of the entity before the action (where applicable) |
after | JSON snapshot after |
timestamp | UTC, ISO-8601 with millis |
source_ip | The actor's IP, if available |
trace_id | W3C trace ID, for cross-cutting traces |
additional | Free-form JSON for action-specific details |
Filtering¶
The Audit log page filters by:
- Actor — autocomplete on known users and
system. - Action — multi-select chip filter.
- Entity type — to narrow to e.g. all
Rolloutevents. - Entity ID — paste a UUID to see everything that happened to one thing.
- Date range — since / until.
- Free-text — searches the
additionalJSON.
Filters compose; the active set is in the URL so you can share a focused view.
Hot vs archive¶
Events younger than the configured HotDays (default 90) live in the hot table — fast queries, full structured before/after. Older events move to the archive table — same shape, slower queries.
The default UI queries only the hot table. Include archive is a toggle gated by Admin; it pulls from both at once. Archive queries are slower and the toggle itself is audited.
After ArchiveDays (default 7 years), events are purged. See Audit retention.
Reading a specific event¶
Click any row to expand. You see:
- the
beforeandaftersnapshots side-by-side, - the diff highlighted,
- a deep link to the entity (if it still exists),
- related events (other audit rows touching the same entity within ± 10 minutes).
Exporting¶
The action menu offers:
- Export filtered as CSV (capped at 10 000 rows in one request),
- Export filtered as JSONL (line-delimited JSON, no cap on the API; the UI streams up to 100 000 rows).
Larger exports go through the REST API directly.
What is not in the audit log¶
- Telemetry payloads. Ampora is not an APM.
- Read-only queries. Postgres can audit those if your compliance regime needs it; Ampora does not by default.
- OpAMP heartbeats. Too high-volume to be useful. The agent's status history covers "was the agent online?" without flooding audit.
Tamper-evidence¶
Audit events are append-only — no UI or API can mutate an existing row. Corrections are new events that reference the original.
For deployments that need cryptographic tamper-evidence, see Operator → Audit retention for the RFC-3161 timestamping integration. Plain audit log is sufficient for most regimes; the timestamping is opt-in for the strict ones.
Audit log of audit log access¶
Opening the Include archive toggle, exporting CSV, or running an unusually large API query all emit their own audit events with parameters. Reviewers reviewing the reviewer is, in principle, provable.