Use Case 010: Activity Logging and Audit Trail
Overview
| Property | Value |
|---|---|
| Use Case ID | UC-010 |
| Use Case Name | Activity Logging and Audit Trail |
| Module | Security and Compliance - Audit System |
| Priority | High |
| Status | Implemented |
| Version | 1.0 |
| Last Updated | January 30, 2026 |
Description
This use case describes the comprehensive activity logging and audit trail system for the Application Manager platform. The system automatically captures and securely stores all significant user activities, administrative operations, configuration changes, and security events to maintain a complete audit trail for compliance, security monitoring, and operational troubleshooting. The audit system operates transparently without requiring user interaction and provides powerful search, filtering, and reporting capabilities for administrators and compliance officers.
Actors
| Actor | Description | Role |
|---|---|---|
| System | Application Manager platform with audit middleware | Primary |
| Logged User | Any authenticated user performing actions | Subject |
| Administrator | System admin reviewing logs and performing operations | Subject + Consumer |
| Security Officer | Security personnel monitoring for suspicious activity | Consumer |
| Compliance Auditor | Compliance officer generating audit reports | Consumer |
| Log Storage | Database or dedicated logging service | Supporting |
Preconditions
- Application Manager is running with audit middleware enabled
- Database connection is available for log storage
- Log retention policies are configured
- Adequate storage space is available for logs
- System time is synchronized (NTP configured)
- Audit log schema is properly initialized
Postconditions
Success Postconditions
- Activity log record persisted to database
- Log entry includes all required audit fields
- Log timestamp accurately recorded (UTC)
- User identity and session captured
- IP address and user agent logged
- Log data encrypted if configured
- Real-time monitoring alerts triggered if applicable
- Log available for search and reporting
Failure Postconditions
- Failed log attempt recorded in error log
- Alert triggered if logging system is unavailable
- Primary operation continues (logging failure doesn't block user actions)
- Fallback logging mechanism engaged if configured
Triggers
- User performs any authenticated action (login, logout, data access)
- Administrator executes privileged operation (user creation, role change)
- Configuration change is made (application settings, system config)
- Security event occurs (failed login, access denied, token expiration)
- API call is made to any protected endpoint
- Session is created, updated, or terminated
- Scheduled task or background job executes
- Data export or backup operation is performed
Basic Flow (Happy Path)
sequenceDiagram
actor User as User/Admin
participant App as Application Manager
participant Audit as Audit Middleware
participant Queue as Async Log Queue
participant DB as Audit Log Database
participant Monitor as Real-time Monitor
participant Storage as Archive Storage
User->>App: Perform action (e.g., update config)
App->>App: Execute business logic
App->>Audit: Log activity event
Audit->>Audit: Capture context (user, IP, timestamp)
Audit->>Audit: Determine event severity
Audit->>Audit: Build log entry structure
Audit->>Queue: Enqueue log entry (async)
Audit->>App: Return (non-blocking)
App->>User: Action completed successfully
Note over Queue,DB: Background processing
Queue->>DB: Batch insert log entries
DB->>Queue: Logs persisted
DB->>Monitor: New log entry notification
Monitor->>Monitor: Check for suspicious patterns
alt Suspicious Activity Detected
Monitor->>Monitor: Trigger security alert
Monitor->>User: Notify security team
end
Note over DB,Storage: Periodic archival
DB->>Storage: Move logs > 90 days to archive
Storage->>DB: Archival complete
Detailed Steps
Activity Occurs
- User performs authenticated action
- System intercepts action via audit middleware
- Action execution proceeds normally (logging is non-blocking)
Context Capture
- Extract user identity (user ID, username, email)
- Capture session information (session ID, token type)
- Record IP address and geographic location (if available)
- Capture user agent (browser, app, API client)
- Record timestamp in UTC with millisecond precision
- Capture request method and endpoint
- Extract relevant payload data (sanitized, no sensitive data)
Event Classification
- Determine event type (Authentication, Authorization, Configuration, DataAccess, etc.)
- Assign severity level (Info, Warning, Error, Critical)
- Categorize action (Create, Read, Update, Delete, Execute)
- Tag with relevant categories (Security, Compliance, Operations)
Log Entry Construction
- Build structured log entry with all captured context
- Include before/after state for configuration changes
- Add correlation ID for related actions
- Include parent activity ID for hierarchical operations
- Calculate and store event hash for tamper detection
Async Logging
- Enqueue log entry to in-memory queue
- Return control to primary operation immediately
- Background worker processes queue in batches
- Batch size: 100 entries or 5-second interval (whichever comes first)
Persistence
- Background worker retrieves batch from queue
- Insert log entries into database (bulk operation)
- Update log index for fast searching
- Replicate to backup storage if configured
- Confirm persistence and remove from queue
Real-time Monitoring
- Monitor service receives new log notification
- Apply pattern detection rules
- Check for suspicious activity indicators:
- Multiple failed login attempts
- Unusual access patterns
- Privilege escalation attempts
- Mass data exports
- After-hours administrative actions
- Trigger alerts if thresholds exceeded
Retention and Archival
- Scheduled job runs daily to check log age
- Logs older than retention period moved to archive
- Archived logs compressed and stored in cold storage
- Archive index maintained for historical searches
- Old archives deleted per compliance policy
Alternative Flows
Alt Flow 1: High-Volume Logging Scenario
flowchart TD
A[Activity spike detected] --> B{Queue size > threshold?}
B -->|Yes| C[Enable aggressive batching]
B -->|No| D[Normal processing]
C --> E[Increase batch size to 500]
C --> F[Reduce batch interval to 1 second]
C --> G[Compress log entries]
E --> H[Write to database]
F --> H
G --> H
H --> I{Queue draining?}
I -->|Yes| J[Return to normal mode]
I -->|No| K[Continue aggressive mode]
J --> D
K --> E
Steps:
- System detects high activity volume (queue size > 1000 entries)
- Audit system switches to high-throughput mode
- Increase batch size to reduce database round trips
- Compress log entries before storage
- Prioritize critical security events over informational logs
- Monitor queue depth and adjust batching dynamically
- Return to normal mode when queue drains below threshold
Alt Flow 2: Log Search and Filtering
sequenceDiagram
actor Admin as Administrator
participant UI as Admin Web UI
participant API as Log Query API
participant DB as Audit Log Database
participant Cache as Search Cache
Admin->>UI: Navigate to Activity Logs
UI->>API: GET /api/v1/audit-logs
API->>DB: Query recent logs (last 24 hours)
DB->>API: Return log entries
API->>UI: Display logs (paginated)
UI->>Admin: Show log table
Admin->>UI: Apply filters (user, date range, event type)
UI->>API: GET /api/v1/audit-logs?userId=X&eventType=Auth&from=2026-01-01
API->>Cache: Check cache for query
Cache->>API: Cache miss
API->>DB: Execute filtered query with indexes
DB->>API: Return matching logs
API->>Cache: Store results in cache (5 min TTL)
API->>UI: Return filtered results
UI->>Admin: Display filtered logs
Admin->>UI: Export results to CSV
UI->>API: POST /api/v1/audit-logs/export
API->>DB: Fetch all matching records
DB->>API: Return complete dataset
API->>API: Generate CSV file
API->>UI: Return download link
UI->>Admin: Download CSV file
Steps:
- Administrator navigates to audit log interface
- System displays recent logs (default: last 24 hours)
- Administrator applies filters:
- User/Actor filter
- Date/time range
- Event type (Authentication, Configuration, etc.)
- Severity level
- Action type (Create, Update, Delete)
- IP address or geographic location
- Application or module
- System queries database with optimized indexes
- Results cached for 5 minutes to improve performance
- Administrator can export filtered results to CSV/JSON
- Export operation logs the data export activity itself
Alt Flow 3: Suspicious Activity Detection and Alerting
sequenceDiagram
participant Monitor as Real-time Monitor
participant DB as Audit Log Database
participant Rules as Detection Rules Engine
participant Alert as Alert Service
participant Security as Security Team
participant System as System Actions
Monitor->>DB: Subscribe to new log events
DB->>Monitor: New failed login event
Monitor->>Rules: Evaluate event against rules
Rules->>Rules: Check: Failed logins from same IP
Rules->>DB: Query recent logs for IP address
DB->>Rules: Return 5 failed attempts in 10 minutes
Rules->>Rules: Rule triggered: Brute force attempt
Rules->>Monitor: Suspicious activity confirmed
Monitor->>Alert: Create security alert (HIGH severity)
Alert->>Security: Send email/Slack notification
Alert->>Alert: Log alert in alert database
Monitor->>System: Execute automated response
System->>System: Block IP address temporarily (15 min)
System->>DB: Log automated action
Security->>Alert: Review alert in dashboard
Security->>System: Take additional action (permanent block)
System->>DB: Log security officer action
Steps:
- Real-time monitor detects pattern in log events
- Suspicious patterns include:
- 5+ failed login attempts from same IP in 10 minutes
- Rapid succession of access denied events
- Unusual data export volume
- After-hours access by privileged users
- Multiple concurrent sessions from different locations
- Sudden spike in API calls from single user
- Rules engine evaluates event against detection rules
- If rule threshold exceeded, security alert generated
- Alert sent to security team via configured channels
- Automated response actions executed (IP blocking, session termination)
- Security officer reviews alert and takes additional actions
- All alert and response actions logged in audit trail
Alt Flow 4: Compliance Audit Report Generation
flowchart TD
A[Auditor requests compliance report] --> B[Select report type]
B --> C{Report Type}
C -->|User Access Report| D[Query all user authentications]
C -->|Config Change Report| E[Query all configuration changes]
C -->|Admin Actions Report| F[Query all admin operations]
C -->|Security Events Report| G[Query all security-related events]
D --> H[Filter by date range]
E --> H
F --> H
G --> H
H --> I[Apply compliance filters]
I --> J[Group by category]
J --> K[Calculate statistics]
K --> L[Generate Excel report]
L --> M[Include summary sheet]
M --> N[Add detailed event listing]
N --> O[Deliver to auditor]
Steps:
- Compliance auditor requests audit report
- Select report type:
- User Access Report (who accessed what and when)
- Configuration Change Report (all config modifications)
- Administrative Actions Report (privileged operations)
- Security Events Report (failed logins, access denied)
- Data Export Report (all data extractions)
- Specify date range and filters
- System queries audit log database
- Aggregate data by relevant dimensions
- Calculate compliance metrics:
- Total unique users
- Average login frequency
- Failed authentication rate
- Unauthorized access attempts
- Configuration change frequency
- Generate formatted report (Excel/CSV)
- Include summary sheet with key findings
- Include detailed event listing with timestamps
- Deliver report to auditor via secure download
Alt Flow 5: Log Retention and Archival
Steps:
- Scheduled job runs daily at 2:00 AM UTC
- Query logs older than configured retention period (default: 90 days)
- For logs meeting archival criteria:
- Compress logs using gzip compression
- Move to cold storage (S3, Azure Blob, file system)
- Update archive index with location pointer
- Verify archive integrity
- Delete from primary database
- For archived logs older than compliance requirement (e.g., 7 years):
- Schedule for permanent deletion
- Generate certificate of destruction
- Purge from all storage locations
- Generate archival report for compliance officer
- Log archival operation in audit trail
Alt Flow 6: Logging System Failure
sequenceDiagram
participant App as Application
participant Audit as Audit Middleware
participant Queue as Log Queue
participant DB as Database
participant Fallback as Fallback Logger
participant Monitor as Health Monitor
App->>Audit: Log activity
Audit->>Queue: Enqueue log entry
Queue->>DB: Attempt to persist logs
DB->>Queue: Database connection failed
Queue->>Queue: Retry with exponential backoff
Queue->>DB: Retry persist logs
DB->>Queue: Still failing
Queue->>Fallback: Switch to fallback mechanism
Fallback->>Fallback: Write to local file system
Fallback->>Monitor: Alert: Logging system degraded
Monitor->>Monitor: Create incident ticket
Monitor->>Monitor: Notify operations team
Note over DB: Database restored
Monitor->>DB: Health check
DB->>Monitor: Database available
Monitor->>Fallback: Resume normal logging
Fallback->>DB: Replay buffered logs from file
DB->>Fallback: Logs successfully persisted
Fallback->>Monitor: Normal logging resumed
Steps:
- Audit middleware attempts to log activity
- Database connection fails or times out
- System retries with exponential backoff (3 attempts)
- If persistent failure, switch to fallback mechanism:
- Write logs to local file system
- Queue logs in memory (with size limit)
- Send critical logs to alternative service (Syslog, CloudWatch)
- Health monitor detects logging system degradation
- Alert sent to operations team
- Primary operation continues (user unaffected)
- Once database restored, buffered logs replayed
- Verify log continuity and integrity
- Resume normal logging operation
Business Rules
| Rule ID | Description | Enforcement |
|---|---|---|
| BR-001 | All authentication events must be logged (success and failure) | Audit middleware intercepts all auth operations |
| BR-002 | All administrative actions must be logged with full context | Admin API endpoints instrumented |
| BR-003 | All configuration changes must log before and after state | Configuration service logs state transitions |
| BR-004 | Sensitive data (passwords, tokens) must never be logged | Sanitization filter applied to all log entries |
| BR-005 | Log timestamps must be in UTC with millisecond precision | System time synchronized via NTP |
| BR-006 | Logs must be retained for minimum 90 days in active storage | Retention policy enforced by archival job |
| BR-007 | Archived logs must be retained for 7 years for compliance | Archive retention enforced in compliance mode |
| BR-008 | Failed logging must not block primary user operations | Async logging with fallback mechanisms |
| BR-009 | Log entries must be immutable after creation | Audit log table has no UPDATE or DELETE permissions |
| BR-010 | Log tampering must be detectable via cryptographic hashing | SHA-256 hash computed for each log entry |
| BR-011 | Security events must trigger real-time monitoring alerts | Pattern detection rules evaluated continuously |
| BR-012 | Logs must be encrypted at rest if compliance requires | Database encryption and file encryption enabled |
Data Requirements
Activity Log Schema
{
"Id": "uuid-v4 (primary key)",
"Timestamp": "datetime with microseconds (UTC, indexed)",
"CorrelationId": "uuid-v4 (groups related operations)",
"ParentActivityId": "uuid-v4 (for hierarchical operations, nullable)",
"EventType": "enum (Authentication, Authorization, Configuration, DataAccess, System, Security)",
"Action": "enum (Create, Read, Update, Delete, Execute, Login, Logout, Export, Import)",
"Severity": "enum (Info, Warning, Error, Critical)",
"ActorType": "enum (User, Admin, System, ApiClient, BackgroundJob)",
"ActorId": "uuid-v4 (user or service account ID)",
"ActorUsername": "string (username or service name)",
"ActorEmail": "string (email address if applicable)",
"SessionId": "uuid-v4 (session identifier, nullable)",
"ResourceType": "string (User, Application, Configuration, Session, etc.)",
"ResourceId": "string (affected resource identifier)",
"ResourceName": "string (human-readable resource name)",
"Operation": "string (specific operation, e.g., 'UpdateUserRole', 'CreateSession')",
"IpAddress": "string (IPv4 or IPv6)",
"UserAgent": "string (browser/client identification)",
"GeoLocation": "string (city, country derived from IP)",
"RequestMethod": "string (GET, POST, PUT, DELETE)",
"RequestPath": "string (API endpoint path)",
"RequestPayload": "jsonb (sanitized request data, optional)",
"ResponseStatus": "integer (HTTP status code)",
"ResponseTime": "integer (milliseconds)",
"Success": "boolean (operation success indicator)",
"ErrorMessage": "string (error details if failed, nullable)",
"BeforeState": "jsonb (state before change, for config changes)",
"AfterState": "jsonb (state after change, for config changes)",
"Tags": "array of strings (searchable tags: compliance, security, etc.)",
"Metadata": "jsonb (additional context as key-value pairs)",
"EventHash": "string (SHA-256 hash for tamper detection)",
"CreatedAt": "datetime (UTC, when log was created)",
"IsArchived": "boolean (archived status)",
"ArchiveLocation": "string (pointer to archived log, nullable)"
}
Event Types
| Event Type | Description | Examples |
|---|---|---|
| Authentication | User authentication events | Login, Logout, Token refresh, Password reset |
| Authorization | Access control decisions | Access granted, Access denied, Permission check |
| Configuration | System/app configuration changes | Update settings, Change retention policy, Modify app config |
| DataAccess | Data read/write operations | Query execution, Record update, Bulk export |
| System | System-level events | Service start, Service stop, Health check, Scheduled job |
| Security | Security-related events | Failed login, IP block, Suspicious activity, Token expiration |
| Administration | Admin operations | User creation, Role assignment, Application registration |
Action Types
- Create: Resource creation (user, session, application)
- Read: Data access or query (list users, view config)
- Update: Resource modification (update user, change settings)
- Delete: Resource deletion (delete user, revoke session)
- Execute: Operation execution (run job, execute command)
- Login: Authentication success
- Logout: Session termination
- Export: Data extraction (CSV export, backup)
- Import: Data ingestion (restore, bulk load)
Severity Levels
| Severity | Description | Use Cases |
|---|---|---|
| Info | Normal operations | Successful login, routine data access, config view |
| Warning | Noteworthy but not critical | Failed validation, deprecated API usage, approaching limits |
| Error | Operation failure | Failed operation, database error, external service failure |
| Critical | Security or system critical event | Security breach attempt, data corruption, system failure |
User Interface
Activity Log Viewer
┌────────────────────────────────────────────────────────────────────────────┐
│ Activity Logs & Audit Trail [Export] │
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ │
│ │
│ Filters: │
│ ┌──────────────┐ ┌───────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ User: All ▾ │ │ Event Type ▾ │ │ Severity ▾ │ │ Date Range ▾ │ │
│ └──────────────┘ └───────────────┘ └──────────────┘ └──────────────┘ │
│ │
│ Search: ┌────────────────────────────────────────┐ [Search] [Clear] │
│ │ Filter by keyword, IP, or resource... │ │
│ └────────────────────────────────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────────────────────┐ │
│ │ Timestamp User Event Type Action Resource │ │
│ ├─────────────────────────────────────────────────────────────────────┤ │
│ │ 2026-01-30 10:32:15 admin Configuration Update AppSettings│ │
│ │ 🔍 View Details ✓ Success │ │
│ │ │ │
│ │ 2026-01-30 10:30:42 jdoe Authentication Login Session │ │
│ │ 🔍 View Details ✓ Success │ │
│ │ │ │
│ │ 2026-01-30 10:28:19 system System Execute BackupJob │ │
│ │ 🔍 View Details ✓ Success │ │
│ │ │ │
│ │ 2026-01-30 10:15:33 unknown Authentication Login Session │ │
│ │ 🔍 View Details ✗ Failed │ │
│ │ ⚠️ Suspicious: Multiple failed attempts detected │ │
│ │ │ │
│ │ 2026-01-30 10:12:07 admin Administration Create User │ │
│ │ 🔍 View Details ✓ Success │ │
│ └─────────────────────────────────────────────────────────────────────┘ │
│ │
│ Showing 1-10 of 2,547 entries [◄ Prev] Page 1 of 255 [Next ►]│
└────────────────────────────────────────────────────────────────────────────┘
Log Detail View
┌────────────────────────────────────────────────────────────────────────────┐
│ Activity Log Detail [Close] │
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ │
│ │
│ 📋 Event Information │
│ ─────────────────────────────────────────────────────────────────────── │
│ ID: 550e8400-e29b-41d4-a716-446655440000 │
│ Timestamp: 2026-01-30 10:32:15.247 UTC │
│ Correlation ID: a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d │
│ Event Type: Configuration │
│ Action: Update │
│ Severity: ⚠️ Warning │
│ Status: ✓ Success │
│ │
│ 👤 Actor Information │
│ ─────────────────────────────────────────────────────────────────────── │
│ Actor Type: Admin │
│ User ID: admin-user-id-12345 │
│ Username: admin@example.com │
│ Session ID: session-67890 │
│ IP Address: 192.168.1.100 (San Francisco, USA) │
│ User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)... │
│ │
│ 🎯 Resource Information │
│ ─────────────────────────────────────────────────────────────────────── │
│ Operation: UpdateApplicationSettings │
│ Resource Type: Configuration │
│ Resource ID: app-fee-manager-config │
│ Resource Name: Fee Manager Configuration │
│ │
│ 🔄 State Changes │
│ ─────────────────────────────────────────────────────────────────────── │
│ Before: │
│ { │
│ "maxConcurrentSessions": 5, │
│ "sessionTimeoutMinutes": 30 │
│ } │
│ │
│ After: │
│ { │
│ "maxConcurrentSessions": 10, │
│ "sessionTimeoutMinutes": 60 │
│ } │
│ │
│ 🔧 Request Details │
│ ─────────────────────────────────────────────────────────────────────── │
│ Method: PUT │
│ Path: /api/v1/applications/fee-manager/settings │
│ Response Status: 200 OK │
│ Response Time: 143ms │
│ │
│ 🏷️ Tags: configuration, admin, compliance │
│ │
│ [View Related Logs] [Export Event] [Flag for Review] │
└────────────────────────────────────────────────────────────────────────────┘
Advanced Search Interface
┌────────────────────────────────────────────────────────────────────────────┐
│ Advanced Log Search │
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ │
│ │
│ 📅 Time Range │
│ ┌──────────────────────┐ to ┌──────────────────────┐ │
│ │ 2026-01-01 00:00:00 │ │ 2026-01-30 23:59:59 │ │
│ └──────────────────────┘ └──────────────────────┘ │
│ Quick: [Last Hour] [Today] [Last 7 Days] [Last 30 Days] │
│ │
│ 👤 Actor Filters │
│ User: ┌─────────────────────────┐ Actor Type: ┌──────────────┐ │
│ │ Select or type... ▾ │ │ All ▾ │ │
│ └─────────────────────────┘ └──────────────┘ │
│ │
│ 🎯 Event Filters │
│ Event Type: ☐ Authentication ☐ Authorization ☐ Configuration │
│ ☐ DataAccess ☐ System ☐ Security │
│ ☐ Administration │
│ │
│ Action: ☐ Create ☐ Read ☐ Update ☐ Delete │
│ ☐ Execute ☐ Login ☐ Logout ☐ Export │
│ │
│ Severity: ☐ Info ☐ Warning ☐ Error ☐ Critical │
│ │
│ 📊 Status & Performance │
│ Success: ○ All ○ Success Only ○ Failures Only │
│ ☐ Response time > _____ ms │
│ │
│ 🌐 Network Filters │
│ IP Address: ┌─────────────────────────┐ │
│ │ e.g., 192.168.1.100 │ │
│ └─────────────────────────┘ │
│ Location: ┌─────────────────────────┐ │
│ │ e.g., San Francisco │ │
│ └─────────────────────────┘ │
│ │
│ 🔍 Text Search │
│ ┌─────────────────────────────────────────────────────────────────────┐ │
│ │ Search in operation, resource name, error message... │ │
│ └─────────────────────────────────────────────────────────────────────┘ │
│ │
│ 💾 Saved Searches: ┌──────────────────────┐ [Save Current Search] │
│ │ My Saved Searches ▾ │ │
│ └──────────────────────┘ │
│ │
│ ┌──────────┐ ┌──────────┐ ┌──────────────────────────────────────┐ │
│ │ Search │ │ Clear │ │ Export Results (CSV/JSON/Excel) │ │
│ └──────────┘ └──────────┘ └──────────────────────────────────────┘ │
└────────────────────────────────────────────────────────────────────────────┘
Compliance Report Dashboard
┌────────────────────────────────────────────────────────────────────────────┐
│ Compliance Reports │
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ │
│ │
│ 📊 Generate Compliance Report │
│ │
│ Report Type: │
│ ┌────────────────────────────────────────────────────────────────────┐ │
│ │ ○ User Access Activity Report │ │
│ │ ○ Configuration Change Audit Report │ │
│ │ ○ Administrative Actions Report │ │
│ │ ○ Security Events and Incidents Report │ │
│ │ ● Data Export and Privacy Report │ │
│ │ ○ Failed Authentication Attempts Report │ │
│ │ ○ Custom Report (Advanced) │ │
│ └────────────────────────────────────────────────────────────────────┘ │
│ │
│ Report Period: │
│ ┌──────────────────────┐ to ┌──────────────────────┐ │
│ │ 2025-10-01 │ │ 2026-01-30 │ │
│ └──────────────────────┘ └──────────────────────┘ │
│ Presets: [Q4 2025] [Last Quarter] [Last Year] [Custom] │
│ │
│ Include Sections: │
│ ☑ Executive Summary │
│ ☑ Statistical Overview │
│ ☑ Key Findings and Insights │
│ ☑ Detailed Event Listing (first 1,000 entries) │
│ ☑ Anomaly Detection Results │
│ ☐ User Activity Breakdown │
│ ☑ Compliance Checklist │
│ │
│ Output Format: ● Excel ○ CSV ○ JSON │
│ │
│ ┌──────────────────────┐ │
│ │ Generate Report │ │
│ └──────────────────────┘ │
│ │
│ 📥 Recent Reports │
│ ─────────────────────────────────────────────────────────────────────── │
│ • Q4 2025 Security Events Report.xlsx Generated: 2026-01-15 │
│ [Download] [View] [Delete] │
│ │
│ • 2025 Annual Administrative Actions Report Generated: 2026-01-05 │
│ [Download] [View] [Delete] │
│ │
│ • December 2025 User Access Report Generated: 2026-01-02 │
│ [Download] [View] [Delete] │
└────────────────────────────────────────────────────────────────────────────┘
API Endpoints
Query Activity Logs
Endpoint: GET /api/v1/audit-logs
Authentication: Admin or Security Officer role required
Query Parameters:
?from=2026-01-01T00:00:00Z (Start timestamp, ISO 8601)
&to=2026-01-30T23:59:59Z (End timestamp, ISO 8601)
&userId=550e8400-e29b-41d4-a716-... (Filter by user ID)
&eventType=Authentication,Security (Comma-separated event types)
&action=Login,Logout (Comma-separated actions)
&severity=Warning,Error,Critical (Comma-separated severities)
&success=true (Filter by success/failure)
&resourceType=User (Filter by resource type)
&ipAddress=192.168.1.100 (Filter by IP address)
&search=password reset (Full-text search)
&page=1 (Pagination: page number)
&pageSize=50 (Pagination: items per page, max 500)
&sortBy=Timestamp (Sort field)
&sortOrder=desc (Sort order: asc or desc)
Success Response: 200 OK
{
"data": [
{
"id": "550e8400-e29b-41d4-a716-446655440000",
"timestamp": "2026-01-30T10:32:15.247Z",
"correlationId": "a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d",
"eventType": "Configuration",
"action": "Update",
"severity": "Warning",
"actorType": "Admin",
"actorId": "admin-user-id-12345",
"actorUsername": "admin@example.com",
"actorEmail": "admin@example.com",
"sessionId": "session-67890",
"resourceType": "Configuration",
"resourceId": "app-fee-manager-config",
"resourceName": "Fee Manager Configuration",
"operation": "UpdateApplicationSettings",
"ipAddress": "192.168.1.100",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) ...",
"geoLocation": "San Francisco, USA",
"requestMethod": "PUT",
"requestPath": "/api/v1/applications/fee-manager/settings",
"responseStatus": 200,
"responseTime": 143,
"success": true,
"beforeState": {
"maxConcurrentSessions": 5,
"sessionTimeoutMinutes": 30
},
"afterState": {
"maxConcurrentSessions": 10,
"sessionTimeoutMinutes": 60
},
"tags": ["configuration", "admin", "compliance"]
}
],
"pagination": {
"page": 1,
"pageSize": 50,
"totalItems": 2547,
"totalPages": 51
},
"query": {
"from": "2026-01-01T00:00:00Z",
"to": "2026-01-30T23:59:59Z",
"filters": ["eventType=Configuration"]
}
}
Get Log Entry Details
Endpoint: GET /api/v1/audit-logs/{logId}
Authentication: Admin or Security Officer role required
Success Response: 200 OK
{
"id": "550e8400-e29b-41d4-a716-446655440000",
"timestamp": "2026-01-30T10:32:15.247Z",
"correlationId": "a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d",
"parentActivityId": null,
"eventType": "Configuration",
"action": "Update",
"severity": "Warning",
"actorType": "Admin",
"actorId": "admin-user-id-12345",
"actorUsername": "admin@example.com",
"actorEmail": "admin@example.com",
"sessionId": "session-67890",
"resourceType": "Configuration",
"resourceId": "app-fee-manager-config",
"resourceName": "Fee Manager Configuration",
"operation": "UpdateApplicationSettings",
"ipAddress": "192.168.1.100",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36",
"geoLocation": "San Francisco, USA",
"requestMethod": "PUT",
"requestPath": "/api/v1/applications/fee-manager/settings",
"requestPayload": {
"maxConcurrentSessions": 10,
"sessionTimeoutMinutes": 60
},
"responseStatus": 200,
"responseTime": 143,
"success": true,
"errorMessage": null,
"beforeState": {
"maxConcurrentSessions": 5,
"sessionTimeoutMinutes": 30,
"updatedBy": "system",
"updatedAt": "2026-01-20T08:00:00Z"
},
"afterState": {
"maxConcurrentSessions": 10,
"sessionTimeoutMinutes": 60,
"updatedBy": "admin@example.com",
"updatedAt": "2026-01-30T10:32:15Z"
},
"tags": ["configuration", "admin", "compliance"],
"metadata": {
"changeReason": "Increased limits for peak season",
"approvedBy": "supervisor@example.com"
},
"eventHash": "a3f5b2c1d4e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4",
"createdAt": "2026-01-30T10:32:15.250Z",
"isArchived": false,
"archiveLocation": null,
"relatedLogs": [
{
"id": "related-log-id-1",
"timestamp": "2026-01-30T10:32:10Z",
"operation": "ReadApplicationSettings",
"relationship": "precedes"
}
]
}
Export Audit Logs
Endpoint: POST /api/v1/audit-logs/export
Authentication: Admin or Auditor role required
Request Body:
{
"format": "csv",
"filters": {
"from": "2026-01-01T00:00:00Z",
"to": "2026-01-30T23:59:59Z",
"eventType": ["Authentication", "Configuration"],
"severity": ["Warning", "Error", "Critical"]
},
"includeFields": [
"timestamp",
"actorUsername",
"eventType",
"action",
"resourceName",
"ipAddress",
"success"
],
"deliveryMethod": "download"
}
Success Response: 200 OK
{
"exportId": "export-12345",
"status": "completed",
"format": "csv",
"recordCount": 2547,
"fileSize": 1048576,
"downloadUrl": "https://app-manager.example.com/downloads/audit-export-12345.csv",
"expiresAt": "2026-01-31T10:35:00Z",
"generatedAt": "2026-01-30T10:35:00Z"
}
Alternative Response (Async): 202 Accepted
{
"exportId": "export-12345",
"status": "processing",
"estimatedCompletion": "2026-01-30T10:37:00Z",
"statusCheckUrl": "/api/v1/audit-logs/exports/export-12345/status"
}
Generate Compliance Report
Endpoint: POST /api/v1/audit-logs/reports/compliance
Authentication: Auditor or Admin role required
Request Body:
{
"reportType": "UserAccessActivity",
"period": {
"from": "2025-10-01T00:00:00Z",
"to": "2025-12-31T23:59:59Z"
},
"includeExecutiveSummary": true,
"includeStatistics": true,
"includeDetailedListing": true,
"includeAnomalyDetection": true,
"maxDetailedRecords": 1000,
"format": "pdf",
"digitalSignature": true
}
Success Response: 201 Created
{
"reportId": "report-67890",
"reportType": "UserAccessActivity",
"period": {
"from": "2025-10-01T00:00:00Z",
"to": "2025-12-31T23:59:59Z"
},
"status": "completed",
"format": "pdf",
"fileSize": 2097152,
"downloadUrl": "https://app-manager.example.com/reports/compliance-report-67890.xlsx",
"summary": {
"totalEvents": 15234,
"uniqueUsers": 87,
"failedAuthAttempts": 142,
"configurationChanges": 23,
"securityAlerts": 5,
"complianceScore": 98.5
},
"generatedAt": "2026-01-30T10:40:00Z",
"generatedBy": "auditor@example.com",
"digitalSignature": "-----BEGIN SIGNATURE-----\nMIIC...==\n-----END SIGNATURE-----"
}
Create Manual Log Entry
Endpoint: POST /api/v1/audit-logs/manual
Authentication: Admin role required
Request Body:
{
"eventType": "System",
"action": "Execute",
"severity": "Warning",
"operation": "ManualPasswordReset",
"resourceType": "User",
"resourceId": "user-id-98765",
"resourceName": "jdoe@example.com",
"notes": "Password reset performed manually due to account lockout",
"tags": ["manual", "support", "password-reset"]
}
Success Response: 201 Created
{
"id": "manual-log-id-11111",
"timestamp": "2026-01-30T10:45:00Z",
"eventType": "System",
"action": "Execute",
"severity": "Warning",
"actorId": "admin-user-id-12345",
"actorUsername": "admin@example.com",
"operation": "ManualPasswordReset",
"resourceType": "User",
"resourceId": "user-id-98765",
"resourceName": "jdoe@example.com",
"success": true,
"tags": ["manual", "support", "password-reset"],
"message": "Manual log entry created successfully"
}
Get Audit Statistics
Endpoint: GET /api/v1/audit-logs/statistics
Authentication: Admin or Security Officer role required
Query Parameters:
?from=2026-01-01T00:00:00Z
&to=2026-01-30T23:59:59Z
&groupBy=eventType,day
Success Response: 200 OK
{
"period": {
"from": "2026-01-01T00:00:00Z",
"to": "2026-01-30T23:59:59Z"
},
"summary": {
"totalEvents": 15234,
"uniqueUsers": 87,
"uniqueIpAddresses": 145,
"successRate": 96.3,
"averageResponseTime": 234
},
"byEventType": {
"Authentication": 8500,
"Authorization": 3200,
"Configuration": 450,
"DataAccess": 2800,
"System": 234,
"Security": 50
},
"bySeverity": {
"Info": 13500,
"Warning": 1200,
"Error": 484,
"Critical": 50
},
"topOperations": [
{
"operation": "CreateSession",
"count": 5200,
"successRate": 98.5
},
{
"operation": "ValidateToken",
"count": 3100,
"successRate": 99.2
},
{
"operation": "QueryUsers",
"count": 1800,
"successRate": 97.8
}
],
"topUsers": [
{
"userId": "user-123",
"username": "jdoe@example.com",
"eventCount": 1250,
"lastActivity": "2026-01-30T10:30:00Z"
}
],
"securityEvents": {
"failedLogins": 142,
"accessDenied": 89,
"suspiciousActivity": 5,
"tokenExpired": 234
},
"trends": [
{
"date": "2026-01-30",
"totalEvents": 687,
"failedEvents": 23
},
{
"date": "2026-01-29",
"totalEvents": 612,
"failedEvents": 19
}
]
}
Performance Requirements
| Metric | Target | Critical Threshold |
|---|---|---|
| Log write latency (async enqueue) | < 5ms | < 20ms |
| Log batch persistence time | < 500ms for 100 entries | < 2 seconds |
| Log query response time (simple filter) | < 500ms | < 2 seconds |
| Log query response time (complex filter) | < 2 seconds | < 5 seconds |
| Full-text search response time | < 1 second | < 3 seconds |
| Export generation time (10K records) | < 10 seconds | < 30 seconds |
| Report generation time | < 30 seconds | < 2 minutes |
| Real-time alert detection latency | < 10 seconds | < 30 seconds |
| Log retention query performance | < 5 minutes daily | < 15 minutes |
| Maximum logs per day | 1,000,000 | 500,000 minimum |
| Log storage growth rate | < 10GB/month | Monitor at 50GB/month |
| Database query with indexes | < 200ms | < 1 second |
Security Considerations
Tamper-Proof Logging
- Immutable Records: Audit log table has no UPDATE or DELETE permissions
- Cryptographic Hashing: Each log entry includes SHA-256 hash computed from critical fields
- Hash Chain: Each log entry can reference previous entry's hash for chain-of-custody
- Verification: Periodic integrity checks verify hashes haven't been tampered with
- Database Permissions: Only audit service has INSERT permission on audit log table
- Append-Only Storage: Use append-only database features or write-once storage
Data Encryption
- Encryption at Rest: Audit logs encrypted using AES-256 encryption
- Encryption in Transit: All API calls use TLS 1.3
- Key Management: Encryption keys stored in secure key management service (AWS KMS, Azure Key Vault)
- Key Rotation: Encryption keys rotated annually or after security incident
- Archived Logs: Archive files encrypted before storage in cold storage
Access Control
- Role-Based Access: Only Admin and Security Officer roles can query logs
- Auditor Role: Special auditor role for compliance officers (read-only, report generation)
- Query Logging: All log queries are themselves logged in audit trail
- Export Restrictions: Log exports limited to authorized roles and audited
- PII Protection: Personal data redacted based on user permissions
- Multi-Factor Authentication: MFA required for log access in production
Sensitive Data Protection
- Data Sanitization: Automatic removal of passwords, tokens, credit cards from logs
- PII Detection: Heuristic detection of social security numbers, phone numbers, emails
- Configurable Redaction: Admins can configure additional fields to redact
- Request Payload Filtering: Only whitelisted fields logged from API requests
- Response Data Exclusion: Response bodies generally not logged (only status codes)
Compliance Requirements
- GDPR Compliance: User data anonymized or deleted upon request
- HIPAA Compliance: PHI never logged in audit trail
- SOC 2 Compliance: Audit logs retained per SOC 2 requirements (minimum 1 year)
- PCI DSS Compliance: Cardholder data never logged; access logs retained per PCI DSS
- Data Residency: Logs stored in geographic region per compliance requirements
Testing Scenarios
Test Case 1: Successful Automatic Logging
Given: User performs authenticated action (login)
When: User successfully logs in
Then: Log entry created with all required fields
Verify: Database contains log record, timestamp accurate, user ID captured, IP address logged
Test Case 2: Async Logging Performance
Given: High-volume activity (100 actions/second)
When: Users perform rapid actions
Then: All actions logged without blocking operations
Verify: Queue processes entries within 5 seconds, no log loss, user experience unaffected
Test Case 3: Configuration Change Logging
Given: Admin modifies application settings
When: Admin updates configuration via UI or API
Then: Log captures before/after state
Verify: Before state matches previous config, after state matches new config, change attributed to correct admin
Test Case 4: Failed Action Logging
Given: User attempts unauthorized action
When: User receives 403 Forbidden response
Then: Security event logged with severity Warning
Verify: Log includes attempted resource, denial reason, user identity, IP address
Test Case 5: Log Search and Filtering
Given: 10,000 log entries in database
When: Admin searches for specific user's activities in date range
Then: Relevant logs returned in < 2 seconds
Verify: Results match filter criteria, pagination works, no missing records
Test Case 6: Suspicious Activity Detection
Given: Real-time monitoring enabled
When: Same IP has 5 failed login attempts in 10 minutes
Then: Security alert triggered
Verify: Alert sent to security team, automatic response executed (IP block), alert logged
Test Case 7: Log Export to CSV
Given: Admin requests export of filtered logs
When: Export request submitted
Then: CSV file generated with all matching records
Verify: CSV contains correct columns, data properly formatted, export operation logged
Test Case 8: Compliance Report Generation
Given: Auditor requests Q4 2025 access report
When: Report generation initiated
Then: Excel report generated with summary and details
Verify: Report includes executive summary, statistics, detailed listing, digitally signed
Test Case 9: Log Retention and Archival
Given: Logs older than 90 days exist
When: Retention job runs daily
Then: Old logs moved to archive storage
Verify: Archived logs compressed, searchable via archive index, removed from primary database
Test Case 10: Logging System Failure Handling
Given: Database connection lost
When: User performs action during outage
Then: Action succeeds, logs buffered to fallback
Verify: Logs written to file system, replayed when database restored, no log loss
Test Case 11: Tamper Detection
Given: Log entries have cryptographic hashes
When: Someone attempts to modify log entry directly in database
Then: Hash verification fails
Verify: Integrity check detects tampering, alert triggered, affected records identified
Test Case 12: Multi-User Concurrent Logging
Given: 100 users performing actions simultaneously
When: All users authenticated and active
Then: All actions logged correctly
Verify: No log entry collisions, timestamps accurate, no data loss, correlation IDs work
Monitoring and Analytics
Key Metrics to Track
- Log Volume: Number of log entries per hour/day/month
- Log Write Rate: Entries per second (current, peak, average)
- Log Storage Growth: GB per day/week/month
- Query Performance: Average query response time by query type
- Queue Depth: Current size of async log queue
- Queue Processing Time: Time from enqueue to persistence
- Failed Logging Attempts: Count of failed log writes
- Export Frequency: Number of exports per day/week
- Report Generation: Number of compliance reports generated
- Alert Frequency: Security alerts triggered per day/week
- Search Performance: Average search response time
- Archive Operations: Success rate of archival jobs
Security Analytics
- Failed Authentication Rate: Failed logins / Total login attempts
- Access Denial Rate: 403 responses / Total requests
- Brute Force Indicators: Multiple failures from same IP
- Privilege Escalation Attempts: Unauthorized admin action attempts
- Unusual Access Patterns: After-hours access, geographic anomalies
- Mass Data Exports: Large exports by single user
- Configuration Change Frequency: Admin changes per day
- Suspicious API Usage: Abnormal API call patterns
Operational Metrics
- Top Active Users: Users generating most log entries
- Top Operations: Most frequently logged operations
- Response Time Trends: Average response time over time
- Error Rate by Operation: Failure rate per operation type
- Geographic Distribution: Log activity by location
- User Agent Distribution: Activity by client type
- Peak Activity Times: Busiest hours/days for activity
Alerts
- Critical: Logging system failure (queue full, database unavailable)
- Critical: Tamper detection triggered (log integrity violation)
- High: Suspicious activity detected (brute force, mass export)
- High: Failed logging rate > 5% over 5 minutes
- Medium: Query performance degraded (> 5 seconds average)
- Medium: Storage approaching limit (80% capacity)
- Medium: Archive job failure
- Low: Unusual activity pattern detected
- Low: Export or report generation failed
Dashboards
Security Dashboard:
- Real-time failed authentication attempts
- Active security alerts
- Suspicious activity timeline
- Top blocked IP addresses
- Recent privilege escalation attempts
Operations Dashboard:
- Log volume trends (24h, 7d, 30d)
- Queue depth and processing rate
- Query performance metrics
- Storage utilization
- Top users and operations
Compliance Dashboard:
- Audit coverage percentage
- Recent compliance reports
- Policy violations detected
- Data retention compliance
- Access control audit results
Related Use Cases
All use cases in the Application Manager generate audit logs:
- UC-001: Trial User Self-Registration - Logs user creation, email sending
- UC-002: Trial User Login and Session Management - Logs authentication events
- UC-003: Application Access Validation - Logs authorization decisions
- UC-004: Trial Expiration Management - Logs trial status changes
- UC-005: Administrator User Management - Logs admin operations on users
- UC-006: Role and Permission Management - Logs role assignments and changes
- UC-007: Application Registration - Logs application lifecycle events
- UC-008: Configuration Management - Logs all configuration changes
- UC-009: System Health Monitoring - Logs health check results
- UC-011: API Key Management - Logs token generation and revocation
- UC-012: Data Export and Backup - Logs export operations
Direct Dependencies:
- UC-013: Security Incident Response - Uses audit logs to investigate incidents
- UC-014: Compliance Reporting - Generates reports from audit logs
Notes and Assumptions
- Performance over Blocking: Logging must never block user operations; async logging required
- Storage Planning: Assumes adequate storage provisioned for log retention requirements
- Time Synchronization: Assumes NTP configured for accurate timestamps across servers
- Compliance First: Audit logging designed to meet SOC 2, GDPR, HIPAA, PCI DSS requirements
- Retention Flexibility: Retention periods configurable per compliance requirements
- Archive Strategy: Archived logs stored in cost-effective cold storage (S3 Glacier, Azure Archive)
- Search Performance: Database indexes on timestamp, userId, eventType, ipAddress for fast queries
- PII Handling: Automatic sanitization may require customization per application
- Geographic Requirements: Log storage location may vary per data residency laws
- Tamper Detection: Hash-based integrity checking recommended but may impact performance
- Real-time Monitoring: Pattern detection rules require tuning to reduce false positives
- Export Limits: Large exports may require async processing and background jobs
- Multi-Tenancy: Future enhancement for tenant-isolated audit logs
- Log Correlation: Correlation IDs enable tracing across distributed services
- Fallback Logging: File-based fallback requires monitoring and cleanup procedures
Revision History
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | 2026-01-30 | System Analyst | Initial use case documentation |
Document Owner: Platform Security Team
Stakeholders: Security, Compliance, Engineering, Operations
Review Cycle: Quarterly or after security incidents