Skip to content

Ingest Audit Evidence

Audit consumes signed audit events from Redis, verifies integrity, writes append-only audit rows to Postgres, manages DLQ, and exposes operator search and metrics.

PropertyValue
Port9090
Health/readinessGET /health, GET /ready
MetricsGET /metrics, GET /metrics.json
SearchGET /api/audit/search
DLQGET /api/audit/dlq, GET /api/audit/dlq/{id}, POST /api/audit/dlq/replay

Audit consumes caracal.audit.events with the audit-ingestor consumer group. On startup it drains pending entries for its consumer, periodically claims orphaned entries, retries until AUDIT_MAX_DELIVERIES, and moves permanent failures to caracal.audit.events.dlq.

ControlMeaning
AUDIT_HMAC_KEYVerifies producer-signed events in published modes.
Tamper checksDetect content hash mismatch, chain breaks, and HMAC failures.
Append-only database roleAudit role cannot update or delete audit_events.
RetentionAUDIT_RETENTION_DAYS, partitions, and optional export watermarks.
SignalMeaning
DLQ thresholdAUDIT_READY_DLQ_MAX controls readiness tolerance.
Consumer lagAUDIT_READY_LAG_MAX controls accepted stream lag.
PEL ageAUDIT_READY_PEL_OLDEST_SECS_MAX controls pending-entry staleness.

Use Automate Management when remote automation needs the same product-management operations available in Console.