Get the FREE Ultimate OpenClaw Setup Guide →

audit-logging

npx machina-cli add skill BagelHole/DevOps-Security-Agent-Skills/audit-logging --openclaw
Files (1)
SKILL.md
1.6 KB

Audit Logging

Implement comprehensive audit logging for compliance.

Log Categories

audit_events:
  authentication:
    - Login attempts
    - MFA events
    - Session management
    
  authorization:
    - Access grants
    - Permission changes
    - Role assignments
    
  data_access:
    - Read operations
    - Write operations
    - Delete operations
    
  administrative:
    - Configuration changes
    - User management
    - System changes

Application Logging

import logging
import json

class AuditLogger:
    def log_event(self, event_type, user, resource, action, result):
        log_entry = {
            'timestamp': datetime.utcnow().isoformat(),
            'event_type': event_type,
            'user': user,
            'resource': resource,
            'action': action,
            'result': result,
            'source_ip': request.remote_addr
        }
        logger.info(json.dumps(log_entry))

Centralized Logging

# Fluentd configuration
<source>
  @type tail
  path /var/log/audit/*.log
  tag audit.*
</source>

<match audit.**>
  @type elasticsearch
  host elasticsearch.example.com
  index_name audit-logs
</match>

Best Practices

  • Structured logging (JSON)
  • Centralized collection
  • Tamper-proof storage
  • Retention policies
  • Alerting on anomalies

Source

git clone https://github.com/BagelHole/DevOps-Security-Agent-Skills/blob/main/compliance/auditing/audit-logging/SKILL.mdView on GitHub

Overview

Implements comprehensive audit logging to meet compliance. It defines audit_event categories such as authentication, authorization, data_access, and administrative, and supports centralized collection and SIEM integration to monitor security.

How This Skill Works

An AuditLogger emits structured JSON logs with fields like timestamp, event_type, user, resource, action, result, and source_ip. Logs are centralized via a Fluentd pipeline that tails /var/log/audit/*.log and forwards to Elasticsearch (audit-logs index) for indexing and search.

When to Use It

  • When implementing audit trail requirements for regulatory compliance
  • When you need centralized log collection across multiple services
  • When integrating logs with a SIEM for real-time monitoring
  • When enforcing retention policies and tamper-proof storage
  • When alerting on anomalous or unauthorized activity

Quick Start

  1. Step 1: Define audit_events categories (authentication, authorization, data_access, administrative) in YAML as shown in the skill
  2. Step 2: Implement an AuditLogger that emits structured JSON entries with timestamp, event_type, user, resource, action, result, and source_ip
  3. Step 3: Configure a centralized pipeline (e.g., Fluentd) to tail /var/log/audit/*.log and forward to Elasticsearch audit-logs; ensure retention and alerting

Best Practices

  • Structured logging using JSON
  • Centralized collection from all services
  • Tamper-proof storage with access controls
  • Clear retention policies and time-bound availability
  • Automated alerts on anomalies and unauthorized actions

Example Use Cases

  • PCI DSS auditing for payment data access and changes
  • SOC 2 compliance requiring access and configuration change logs
  • Cloud environments feeding SIEM tools (e.g., Elasticsearch/Kibana stacks)
  • Data lake or data warehouse access monitoring for read/write/delete events
  • Incident response workflows using centralized audit trails for forensic investigations

Frequently Asked Questions

Add this skill to your agents
Sponsor this space

Reach thousands of developers