Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.getbifrost.ai/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Audit Logs in Bifrost provide complete visibility into security-critical events, user activities, configuration changes, and data access patterns. Enterprise audit logging ensures compliance with regulatory requirements including SOC 2, GDPR, HIPAA, and ISO 27001 through comprehensive, immutable audit trails.

Key Features

FeatureDescription
Immutable LogsTamper-proof audit trails with cryptographic verification
Real-Time CaptureInstant logging of all security-relevant events
Granular FilteringQuery by user, action, resource, or time range
Long-Term RetentionConfigurable retention policies for compliance
SIEM IntegrationExport to Splunk, Datadog, Elastic, and more
Alert TriggersAutomated alerts on suspicious activities

What Gets Logged

Authentication Events

  • User login (successful/failed)
  • User logout
  • Session creation/expiration
  • MFA verification
  • Password changes
  • Failed authentication attempts
  • Account lockouts
  • SSO redirects

Authorization Events

  • Model access attempts
  • Provider access checks
  • Virtual key usage
  • Budget limit checks
  • Rate limit violations
  • Permission denials

Configuration Changes

  • Virtual key creation/modification/deletion
  • Team/customer creation/updates
  • User provisioning/deprovisioning
  • Budget adjustments
  • Rate limit changes
  • Provider key updates
  • Guardrail configuration changes
  • SCIM/OIDC settings updates

Data Access Events

  • PII detection and handling
  • Data export operations
  • Log access and queries
  • Sensitive configuration access
  • API key exposure attempts

Security Events

  • Prompt injection attempts
  • Jailbreak attempts
  • Unusual access patterns
  • Multiple failed authentication attempts
  • API key abuse
  • Rate limit violations
  • Suspicious IP addresses
  • Guardrail violations

Configuration

Basic Audit Logging Setup

{
  "audit_logs": {
    "disabled": false,
    "hmac_key": "env.AUDIT_HMAC_KEY",
    "retention_days": 365
  }
}

Configuration Fields

FieldTypeDescription
disabledbooleanWhen true, audit logging is turned off. Default: false.
hmac_keystringHMAC secret key used to sign audit events. Minimum 32 bytes. Supports env. prefix for environment variables (e.g. env.AUDIT_HMAC_KEY).
retention_daysintegerDays to retain audit log entries. 0 disables retention-based cleanup.

Querying Audit Logs

API-Based Queries

Query Authentication Events: 
curl -X GET "http://localhost:8080/api/audit-logs?event_type=authentication&start_date=2024-01-01&end_date=2024-01-31" \
  -H "Authorization: Bearer admin-token"
Query by User: 
curl -X GET "http://localhost:8080/api/audit-logs?user_id=user-alice-001&limit=100" \
  -H "Authorization: Bearer admin-token"
Query Failed Access Attempts: 
curl -X GET "http://localhost:8080/api/audit-logs?action=access_denied&severity=high" \
  -H "Authorization: Bearer admin-token"
Query Configuration Changes: 
curl -X GET "http://localhost:8080/api/audit-logs?event_type=configuration_change&resource_type=virtual_key" \
  -H "Authorization: Bearer admin-token"

Advanced Filtering

curl -X POST http://localhost:8080/api/audit-logs/query \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer admin-token" \
  -d '{
    "filters": {
      "event_types": ["authentication", "authorization"],
      "date_range": {
        "start": "2024-01-01T00:00:00Z",
        "end": "2024-01-31T23:59:59Z"
      },
      "actors": {
        "user_ids": ["user-alice-001", "user-bob-002"],
        "ip_addresses": ["203.0.113.0/24"]
      },
      "status": ["failed", "blocked"],
      "severity": ["medium", "high", "critical"]
    },
    "sort": {
      "field": "timestamp",
      "order": "desc"
    },
    "limit": 1000,
    "include_details": true
  }'

Response Format

{
  "total_count": 347,
  "returned_count": 100,
  "page": 1,
  "audit_logs": [
    {
      "event_id": "evt_001",
      "timestamp": "2024-01-15T10:30:00.123Z",
      "event_type": "authentication",
      "action": "user_login",
      "status": "failed",
      "severity": "medium",
      "actor": {
        "user_id": "user-alice-001",
        "email": "[email protected]",
        "ip_address": "203.0.113.42"
      },
      "details": {
        "auth_method": "password",
        "failure_reason": "invalid_password",
        "attempts_count": 3
      },
      "verification": {
        "hash": "sha256:abc123...",
        "verified": true
      }
    }
  ],
  "next_page": "/api/enterprise/audit-logs?page=2"
}

SIEM Integration

Splunk Integration

{
    "audit_logs": {
      "siem_integration": {
        "splunk": {
          "enabled": true,
          "hec_endpoint": "https://splunk.company.com:8088/services/collector",
          "hec_token": "${SPLUNK_HEC_TOKEN}",
          "source_type": "bifrost:audit",
          "index": "security",
          "batch_size": 100,
          "flush_interval": "10s"
        }
      }
    }
}

Datadog Integration

{  
    "audit_logs": {
        "siem_integration": {
        "datadog": {
                "enabled": true,
                "api_key": "${DATADOG_API_KEY}",
                "site": "datadoghq.com",
                "service": "bifrost",
                "tags": ["env:production", "team:security"]
            }
        }
    }  
}

Elastic Security Integration

{  
    "audit_logs": {
      "siem_integration": {
        "elastic": {
          "enabled": true,
          "endpoint": "https://elastic.company.com:9200",
          "api_key": "${ELASTIC_API_KEY}",
          "index": "bifrost-audit-logs",
          "pipeline": "security-enrichment"
        }
      }
    }
}

Webhook Integration

{
    "audit_logs": {
      "webhooks": {
        "enabled": true,
        "endpoints": [
          {
            "name": "security_incidents",
            "url": "https://security.company.com/webhooks/audit",
            "auth": {
              "type": "bearer",
              "token": "${WEBHOOK_AUTH_TOKEN}"
            },
            "filters": {
              "event_types": ["security_incident"],
              "severity": ["high", "critical"]
            },
            "retry": {
              "max_attempts": 3,
              "backoff": "exponential"
            }
          }
        ]
      }
    }
}

Compliance Reporting

Generate Audit Reports

curl -X POST http://localhost:8080/api/enterprise/audit-logs/reports \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer admin-token" \
  -d '{
    "report_type": "compliance_audit",
    "compliance_framework": "soc2_type2",
    "date_range": {
      "start_date": "2024-01-01T00:00:00Z",
      "end_date": "2024-03-31T23:59:59Z"
    },
    "include_sections": [
      "authentication_events",
      "authorization_events",
      "configuration_changes",
      "security_incidents"
    ],
    "format": "pdf",
    "include_evidence": true
  }'

Report Types

Report TypeDescriptionUse Case
Access AuditAll user authentication and access eventsSOC 2, ISO 27001
Change AuditConfiguration and permission changesChange management
Security AuditSecurity incidents and violationsSecurity reviews
Compliance ReportFramework-specific compliance evidenceRegulatory audits
User ActivityIndividual user activity summaryHR investigations