Documentation
Audit Logging
Comprehensive audit trails for compliance, security investigations, and operational insights
Overview
TigerIdentity automatically logs every access decision, policy change, and administrative action. Audit logs are immutable, tamper-evident, and retained according to your compliance requirements.
Key Features
- ✓ Real-time event capture (sub-second latency)
- ✓ Immutable storage with cryptographic verification
- ✓ Full-text search and filtering
- ✓ Stream to SIEM and data lakes
- ✓ Configurable retention (1-7 years)
- ✓ SOC 2 and ISO 27001 compliant
What Gets Logged
TigerIdentity captures events across all system components with rich contextual metadata.
Access Decisions
Every authorization check (allow/deny) with full context:
- • Principal identity and attributes
- • Resource accessed and action attempted
- • Policy evaluation result and matched rules
- • Context (IP, location, device, time)
- • Response time and cache hit/miss
Policy Changes
All modifications to authorization policies:
- • Policy created, updated, deleted, or activated
- • Full diff of changes (before/after)
- • Administrator who made the change
- • Change approval workflow (if enabled)
Identity Lifecycle
Changes to principals and their attributes:
- • Principal provisioned or deprovisioned
- • Attribute changes (department, role, clearance)
- • Group membership modifications
- • Entity resolution and deduplication events
Session Management
Just-in-time access grant lifecycle:
- • Session request submitted and approved/denied
- • Session activated with elevated permissions
- • Session expired or revoked
- • Actions performed during elevated session
Administrative Actions
System configuration and management:
- • User logins (successful and failed attempts)
- • API key creation, rotation, and revocation
- • Connector configuration changes
- • System settings modifications
Security Events
Anomalies and security-relevant events:
- • Unusual access patterns detected
- • Rate limit violations
- • Failed authentication attempts (brute force detection)
- • Policy simulation runs
Event Format
All audit events follow a standardized JSON schema with consistent fields across event types.
Access Decision Event
{
"event_id": "evt_2vX9Kp3mNqRs7Yt1",
"event_type": "access.decision",
"timestamp": "2026-02-05T14:23:47.392Z",
"tenant_id": "tenant_abc123",
"outcome": "allow",
"principal": {
"id": "user_jane_doe",
"type": "user",
"email": "[email protected]",
"department": "engineering",
"groups": ["developers", "platform-team"]
},
"resource": {
"type": "database",
"id": "prod-postgres-01",
"environment": "production",
"sensitivity": "high"
},
"action": "query",
"context": {
"ip": "203.0.113.42",
"location": {
"country": "US",
"region": "CA",
"city": "San Francisco"
},
"device_trust_level": "high",
"authentication_method": "sso",
"time_of_day": "business_hours"
},
"policy_evaluation": {
"matched_policies": ["pol_prod_db_access", "pol_eng_daytime"],
"evaluation_time_ms": 12,
"cache_hit": true
},
"metadata": {
"request_id": "req_xyz789",
"api_version": "v1",
"sdk_version": "tigeridentity-go/1.4.2"
}
}Policy Change Event
{
"event_id": "evt_8nM2Lq7kPrTs4Wu5",
"event_type": "policy.updated",
"timestamp": "2026-02-05T14:30:12.847Z",
"tenant_id": "tenant_abc123",
"actor": {
"id": "user_admin_alice",
"email": "[email protected]",
"role": "security_admin"
},
"policy": {
"id": "pol_prod_db_access",
"name": "Production Database Access",
"version_before": 3,
"version_after": 4
},
"changes": {
"added_rules": [
{
"condition": "time_of_day == 'business_hours'",
"effect": "require_approval"
}
],
"removed_rules": [],
"modified_rules": []
},
"approval": {
"required": true,
"approver": "user_security_lead",
"approved_at": "2026-02-05T14:28:33Z"
}
}Querying Logs
Query audit logs via REST API with powerful filtering, sorting, and aggregation capabilities.
Search by Principal
GET /v1/audit/events?principal_id=user_jane_doe&start_time=2026-02-01T00:00:00Z
# Response
{
"events": [
{ "event_id": "evt_...", "event_type": "access.decision", ... },
{ "event_id": "evt_...", "event_type": "session.created", ... }
],
"total_count": 247,
"next_cursor": "cur_abc123"
}Search by Resource
GET /v1/audit/events?resource_type=database&resource_id=prod-postgres-01&outcome=deny
# Find all denied access attempts to a specific databaseComplex Queries with Filters
POST /v1/audit/events/query
Content-Type: application/json
{
"filters": [
{ "field": "event_type", "operator": "in", "values": ["access.decision"] },
{ "field": "context.location.country", "operator": "ne", "value": "US" },
{ "field": "timestamp", "operator": "gte", "value": "2026-02-01T00:00:00Z" }
],
"sort": [
{ "field": "timestamp", "order": "desc" }
],
"limit": 100
}
# Find access decisions from outside the US in the last weekAggregations
POST /v1/audit/events/aggregate
Content-Type: application/json
{
"group_by": ["principal.department", "outcome"],
"aggregations": {
"count": { "field": "event_id", "function": "count" }
},
"filters": [
{ "field": "event_type", "operator": "eq", "value": "access.decision" }
]
}
# Response: Access decisions by department and outcome
{
"groups": [
{ "department": "engineering", "outcome": "allow", "count": 15234 },
{ "department": "engineering", "outcome": "deny", "count": 42 },
{ "department": "finance", "outcome": "allow", "count": 3891 }
]
}Retention Policies
Configure audit log retention to meet your compliance and operational requirements. Logs are automatically archived to cold storage after the hot retention period.
# config/audit-retention.yaml
retention:
# Hot storage: queryable via API
hot_retention_days: 90
# Warm storage: slower queries, lower cost
warm_retention_days: 365
# Cold archive: export-only, compliance retention
cold_retention_years: 7
# Event type overrides
overrides:
- event_types: ["policy.updated", "policy.deleted"]
cold_retention_years: 10 # Keep policy changes longer
- event_types: ["access.decision"]
outcome: "deny"
hot_retention_days: 180 # Keep denials in hot storage longer
# Auto-delete after retention period
auto_delete: true
# Legal hold: prevent deletion even after retention period
legal_hold:
enabled: false
reason: nullStorage Tiers
Hot Storage (0-90 days)
Full-text search, sub-second queries, real-time streaming
$2.50/GB/mo
Warm Storage (91-365 days)
Indexed queries, 5-15 second response times
$0.50/GB/mo
Cold Archive (1+ years)
Export-only, compliance retention, encrypted backups
$0.05/GB/mo
Export & Integration
Stream audit logs to your SIEM, data lake, or compliance platform in real-time or via scheduled exports.
SIEM Integration
Native integrations with leading SIEM platforms:
Splunk
HTTP Event Collector (HEC) with automatic batching
hec_endpoint: https://splunk.example.com:8088
hec_token: $SPLUNK_HEC_TOKEN
index: tigeridentity_auditDatadog
Logs API with automatic tag enrichment
api_key: $DATADOG_API_KEY
site: datadoghq.com
service: tigeridentity
tags: [env:prod]Sumo Logic
HTTP Source with JSON parsing
collector_url: https://collectors.sumologic.com/...
source_category: tigeridentity/auditAmazon S3
Batched exports in Parquet or JSON
bucket: s3://my-audit-logs
format: parquet
batch_interval: 5mReal-Time Streaming
# config/audit-streams.yaml
streams:
- name: security-events
destination:
type: webhook
url: https://api.example.com/webhooks/audit
auth:
type: bearer
token: $WEBHOOK_TOKEN
filters:
event_types:
- access.decision
- policy.updated
- session.created
outcomes:
- deny # Only stream denied access
batch_size: 100
batch_interval: 30s
retry_policy:
max_retries: 3
backoff: exponentialBulk Export
POST /v1/audit/exports
Content-Type: application/json
{
"start_time": "2026-01-01T00:00:00Z",
"end_time": "2026-01-31T23:59:59Z",
"format": "json", # json, csv, parquet
"compression": "gzip",
"destination": {
"type": "s3",
"bucket": "my-compliance-exports",
"prefix": "audit-logs/2026-01/"
}
}
# Response
{
"export_id": "exp_abc123",
"status": "in_progress",
"estimated_completion": "2026-02-05T15:30:00Z"
}