Audit Log Events

Carlquist maintains comprehensive audit logs for every action that modifies state or accesses data. Logs are immutable and tamper-evident.

Event Types

Every state-changing operation in Carlquist emits an audit event. The table below lists all event types, their descriptions, and the fields included in each event payload.

Event	Description	Fields
`auth.login`	User authenticated	actor, method (password/sso/api-key), ip, user_agent
`auth.logout`	Session ended	actor, ip
`auth.mfa_challenge`	MFA verification	actor, method (totp/webauthn), success (bool), ip
`auth.failed`	Authentication failure	attempted_identity, reason, ip, user_agent
`api_key.created`	API key generated	actor, key_id, scopes, adapter_ids, expires_at
`api_key.revoked`	API key revoked	actor, key_id, reason
`adapter.created`	New adapter connected	actor, adapter_id, adapter_type, name
`adapter.updated`	Adapter config changed	actor, adapter_id, field, before, after
`adapter.deleted`	Adapter removed	actor, adapter_id, name
`mapping.published`	Mapping deployed	actor, mapping_id, adapter_id, schema_version
`mapping.updated`	Mapping modified	actor, mapping_id, changes_summary
`endpoint.created`	API endpoint published	actor, endpoint_id, path, auth_method
`endpoint.updated`	Endpoint config changed	actor, endpoint_id, field, before, after
`policy.updated`	Policy rule changed	actor, policy_id, policy_type, before, after
`stream.created`	Event stream configured	actor, stream_id, event_type, target_type
`user.invited`	User invited to org	actor, invitee_email, role
`user.role_changed`	User role modified	actor, target_user, old_role, new_role
`export.requested`	Data export initiated	actor, export_type, scope

Common Fields

Every audit event includes the following fields regardless of event type:

event_id — UUID uniquely identifying the event
event_type — One of the event types listed above
timestamp — ISO 8601 format, always UTC
actor_id — UUID of the user or API key that triggered the event
actor_email — Email address of the acting user
org_id — Organization the event belongs to
project_id — Project scope, if applicable
ip_address — Source IP of the request
user_agent — Client user agent string
request_id — Correlation ID for tracing the request across services

Retention

Audit logs are retained for 90 days by default. Extended retention is available on Enterprise plans:

1 year — Enterprise Standard
3 years — Enterprise Plus
Custom — Available by request for regulated industries

Export

Audit logs can be exported in CSV format from the dashboard or via the CLI:

carlquist audit export \
  --from 2026-01-01 \
  --to 2026-02-25 \
  --format csv

You can filter exports by event type, actor, or project:

carlquist audit export \
  --from 2026-01-01 \
  --to 2026-02-25 \
  --event-type auth.login \
  --format csv

SIEM Integration: Direct integration with Splunk, Datadog, and Elastic is on the roadmap for Q3 2026. In the meantime, use CSV exports or the audit API to feed your SIEM pipeline.

Access

Audit logs are read-only. They cannot be modified or deleted by any user, including Organization Admins. Only Organization Admins can view and export audit logs. All audit log access is itself audited — viewing or exporting logs generates an export.requested event, creating a complete chain of custody.