Audit trail
Complete action history with before/after change tracking
Cased CD Enterprise provides a comprehensive audit trail that records all actions taken in the system.
What’s recorded
Section titled “What’s recorded”Every action in Cased CD is logged with:
- Who — Username and user ID
- What — Action type and affected resource
- When — Timestamp with timezone
- Where — Source IP address
- Details — Before/after state for changes
Tracked events
Section titled “Tracked events”| Category | Events |
|---|---|
| Authentication | Login attempts, logout, SSO flows, token refresh |
| Applications | Create, update, delete, sync, rollback, resource actions |
| Clusters | Add, update, remove clusters |
| Repositories | Add, update, remove repositories |
| Projects | Create, update, delete projects |
| RBAC | Role changes, permission updates |
| Settings | Configuration changes |
Viewing the audit trail
Section titled “Viewing the audit trail”Navigate to Settings → Audit Trail in Cased CD to:
- Browse all events chronologically
- Filter by user, action type, or resource
- View detailed before/after diffs
- Export events for compliance
Storage
Section titled “Storage”Audit events are stored in a PersistentVolumeClaim:
# Default configurationenterprise: persistence: enabled: true size: 10Gi storageClass: "" # Uses cluster defaultStorage sizing
Section titled “Storage sizing”| Events | Approximate storage |
|---|---|
| 1 million | ~500 MB |
| 10 million | ~5 GB |
| 20 million | ~10 GB (default) |
Custom storage class
Section titled “Custom storage class”helm upgrade cased-cd cased/cased-cd-enterprise \ --namespace argocd \ --set 'imagePullSecrets[0].name=cased-cd-registry' \ --set enterprise.persistence.size=50Gi \ --set enterprise.persistence.storageClass=fast-ssdDisable persistent storage
Section titled “Disable persistent storage”For clusters without persistent storage support, disable the audit PVC:
helm upgrade cased-cd cased/cased-cd-enterprise \ --namespace argocd \ --set 'imagePullSecrets[0].name=cased-cd-registry' \ --set enterprise.auditTrail.enabled=falseLog format
Section titled “Log format”Audit events are written as JSON lines:
{ "timestamp": "2024-01-15T10:30:00Z", "user": "alice@example.com", "action": "sync", "resource": "application", "resourceName": "frontend", "project": "default", "sourceIP": "10.0.1.50", "success": true, "details": { "revision": "abc123", "prune": false }}Retention
Section titled “Retention”Audit events are retained indefinitely within the storage allocation. To manage retention:
- Increase storage — Scale the PVC for longer retention
- Export old events — Use the export feature before cleanup
- Log aggregation — Forward to external systems for long-term storage
Compliance
Section titled “Compliance”The audit trail helps meet compliance requirements for:
- SOC 2 — Access logging and change tracking
- HIPAA — Activity audit controls
- PCI DSS — Audit trail requirements
- ISO 27001 — Information security event logging
Forwarding to external systems
Section titled “Forwarding to external systems”Audit events logged to stdout can be collected by standard logging agents:
Fluent Bit
Section titled “Fluent Bit”[INPUT] Name tail Path /var/log/containers/cased-cd-enterprise*.log Parser json
[OUTPUT] Name elasticsearch Host elasticsearch.logging.svc Index cased-cd-auditCloudWatch (EKS)
Section titled “CloudWatch (EKS)”With the CloudWatch agent installed, logs are automatically forwarded to CloudWatch Logs.
scrape_configs: - job_name: cased-cd-audit kubernetes_sd_configs: - role: pod relabel_configs: - source_labels: [__meta_kubernetes_pod_label_app_kubernetes_io_name] regex: cased-cd-enterprise action: keep