Export Audit Evidence
Caracal audit records provide decision evidence for STS, Gateway, Coordinator, policy evaluation, Control, and administrative activity. Treat audit as a protected evidence pipeline.
Evidence Path
Section titled “Evidence Path”flowchart LR Producer[API, STS, Gateway, Coordinator, Control] --> Redis[caracal.audit.events] Redis --> Audit[Audit service] Audit --> PG[(audit_events)] Audit --> DLQ[caracal.audit.events.dlq] Audit --> Export[S3-compatible export] Export --> SIEM[SIEM or archive]
Audit events are HMAC-protected in published modes. Audit storage includes tamper checks and append-only permission validation.
Integration Points
Section titled “Integration Points”| Need | Surface |
|---|---|
| Search recent events | Console audit or Audit API search. |
| Trace one request | Console request trace or API request ID lookup. |
| SIEM export | caracal.audit.events consumer or Audit export path. |
| Evidence archive | Postgres backup plus object-store export. |
| Tamper response | CaracalAuditTamperDetected alert and incident runbook. |
Operational Controls
Section titled “Operational Controls”- Monitor Audit DLQ, consumer lag, tamper metrics, and export watermarks.
- Preserve audit HMAC keys according to retention requirements.
- Keep audit partitions and backup retention aligned with legal hold requirements.
- Do not manually mutate
audit_events; verification expects append-only behavior.
Troubleshooting
Section titled “Troubleshooting”| Symptom | Check |
|---|---|
| SIEM is missing events | Redis group lag, export watermark, Audit readiness, and network egress. |
| DLQ has HMAC failures | Producer key mismatch or corrupted stream payload. |
| Request explanation missing | Confirm request ID, zone, retention window, and that the protected request reached Caracal. |
Next Step
Section titled “Next Step”Use Hand Off to Platform Teams when deployment, recovery, audit, alerting, and ownership evidence are ready.