---
title: "Ingest Audit Evidence"
url: "https://docs.caracal.run/services/audit/"
markdown_url: "https://docs.caracal.run/markdown/services/audit.md"
description: "Service reference for audit ingestion, DLQ, tamper checks, retention, search, and metrics."
page_type: "reference"
concepts: []
requires: []
---

# Ingest Audit Evidence

Canonical URL: https://docs.caracal.run/services/audit/
Markdown URL: https://docs.caracal.run/markdown/services/audit.md
Description: Service reference for audit ingestion, DLQ, tamper checks, retention, search, and metrics.
Page type: reference
Concepts: none
Requires: none

---

Audit consumes signed audit events from Redis, verifies integrity, writes append-only audit rows to Postgres, manages DLQ, and exposes operator search and metrics.

## Runtime

| Property | Value |
| --- | --- |
| Port | `9090` |
| Health/readiness | `GET /health`, `GET /ready` |
| Metrics | `GET /metrics`, `GET /metrics.json` |
| Search | `GET /api/audit/search` |
| DLQ | `GET /api/audit/dlq`, `GET /api/audit/dlq/{id}`, `POST /api/audit/dlq/replay` |

## Consumer Behavior

Audit consumes `caracal.audit.events` with the `audit-ingestor` consumer group. On startup it drains pending entries for its consumer, periodically claims orphaned entries, retries until `AUDIT_MAX_DELIVERIES`, and moves permanent failures to `caracal.audit.events.dlq`.

## Integrity Controls

| Control | Meaning |
| --- | --- |
| `AUDIT_HMAC_KEY` | Verifies producer-signed events in published modes. |
| Tamper checks | Detect content hash mismatch, chain breaks, and HMAC failures. |
| Append-only database role | Audit role cannot update or delete `audit_events`. |
| Retention | `AUDIT_RETENTION_DAYS`, partitions, and optional export watermarks. |

## Readiness Signals

| Signal | Meaning |
| --- | --- |
| DLQ threshold | `AUDIT_READY_DLQ_MAX` controls readiness tolerance. |
| Consumer lag | `AUDIT_READY_LAG_MAX` controls accepted stream lag. |
| PEL age | `AUDIT_READY_PEL_OLDEST_SECS_MAX` controls pending-entry staleness. |

## Next Step

Use [Automate Management](/services/control/) when remote automation needs the same product-management operations available in Console.

## Related Pages

- [Audit and Request Traces](/concepts/audit-ledger/)
- [Export Audit Evidence](/operations/compliance-audit-integration/)
- [Configure Alerts](/operations/alerts/)
