March 12, 2026 (1mo ago)
Written by Temps Team
Last updated March 12, 2026 (1mo ago)
Someone on your team deleted a production environment variable last Thursday. You know this because the app crashed. What you don't know is who did it, when exactly it happened, or whether it was intentional.
According to Verizon's Data Breach Investigations Report, 68% of breaches involved a human element — errors, misuse, or social engineering. Audit logs are the only reliable way to reconstruct what happened after the fact. Without them, you're guessing.
This guide covers how audit logging works from the ground up: event capture, schema design, immutable storage, retention policies, and querying patterns. We'll also look at how Temps implements audit logging for every deployment and configuration event automatically.
TL;DR: Audit logs record every significant action in your deployment platform — who did what, when, and from where. They're essential for compliance, debugging, and security investigations. 68% of breaches involve a human element, and audit trails are often the only way to trace what went wrong.
Audit logs serve three distinct purposes: compliance, debugging, and security forensics. A 2024 survey by Drata found that 87% of companies now face at least one compliance framework requiring audit trails. Deployment platforms sit at the center of your infrastructure, making them high-value targets for all three.
SOC 2, HIPAA, GDPR, and ISO 27001 all require organizations to maintain records of system access and changes. Your deployment platform controls who can push code to production, modify environment variables, and change DNS records. Auditors want to see exactly who performed those actions and when.
Without audit logs, you'll spend weeks reconstructing evidence from scattered server logs, git histories, and Slack messages during your next compliance audit. With them, you run a query and hand over the results.
Most production incidents aren't caused by bad code alone. They're caused by configuration changes: someone rotated an API key but forgot to update staging, or a teammate changed a build setting that broke the deploy pipeline.
When your app goes down at 2am, the first question isn't "what's broken?" — it's "what changed?" Audit logs answer that question in seconds.
If an attacker compromises a team member's account, audit logs reveal every action that account took. Which projects did they access? Did they export environment variables? Did they modify deployment targets?
In practice, the most common security-relevant events we've seen teams investigate aren't external attacks — they're former employees whose access wasn't revoked promptly, or shared credentials used by someone who shouldn't have had them.
The rule is straightforward: log every state change, never log secrets. According to OWASP's Logging Cheat Sheet, applications should log all input validation failures, authentication successes and failures, authorization failures, and application errors — at minimum.
Here's a practical list for a deployment platform:
| Category | Events |
|---|---|
| Authentication | Login success, login failure, token creation, token revocation, session expiry |
| Deployments | Deploy triggered, build started, build completed, deploy promoted, deploy rolled back |
| Configuration | Env var created, env var updated, env var deleted, build settings changed |
| Access control | User invited, role changed, user removed, permission granted |
| Infrastructure | Domain added, DNS configured, SSL certificate issued, node joined cluster |
| Databases | Backup created, backup restored, database credentials rotated |
Every write operation (create, update, delete) should generate an audit event. Read operations generally don't need logging unless you're tracking access to sensitive resources like environment variables or database credentials.
This is equally important. Your audit logs should never contain:
Log that an environment variable was updated. Log its key name. Never log its value. The difference between a useful audit trail and a security liability comes down to this distinction.
[IMAGE: Diagram showing what to log vs what to redact in audit events — audit log security best practices]
A good audit event schema answers five questions: who, what, when, where, and how. NIST SP 800-92 on Log Management (2006) recommends that every log entry contain a timestamp, source, event type, and identity of the actor — at minimum.
Here's a JSON schema for an audit event that covers the essentials:
{
"id": "evt_a1b2c3d4",
"timestamp": "2026-03-12T14:32:07.123Z",
"actor": {
"user_id": 42,
"email": "dev@example.com",
"ip_address": "198.51.100.23",
"user_agent": "Mozilla/5.0..."
},
"operation": "environment_variable.updated",
"resource": {
"type": "environment_variable",
"id": "var_789",
"project_id": "proj_456",
"name": "DATABASE_URL"
},
"metadata": {
"previous_value_hash": "sha256:a1b2c3...",
"source": "dashboard",
"request_id": "req_x7y8z9"
}
}
Notice that the resource field includes the variable name but not its value. The metadata includes a hash of the previous value so you can verify whether it actually changed, without storing the secret itself.
Use a consistent resource.action format for operation types. This makes filtering and grouping trivial:
deployment.created
deployment.promoted
deployment.rolled_back
environment_variable.created
environment_variable.updated
environment_variable.deleted
user.invited
user.role_changed
domain.added
domain.verified
Avoid past tense or inconsistent naming. We've seen teams use a mix of created, create, was_created, and new for the same action across different services. Six months later, querying becomes a nightmare. Pick one convention and enforce it at the schema level.
Here's a production-ready audit log table:
CREATE TABLE audit_logs (
id SERIAL PRIMARY KEY,
user_id INTEGER NOT NULL REFERENCES users(id),
operation_type VARCHAR(100) NOT NULL,
ip_address_id INTEGER REFERENCES ip_geolocations(id),
user_agent TEXT NOT NULL DEFAULT '',
data JSONB NOT NULL DEFAULT '{}',
audit_date TIMESTAMPTZ NOT NULL DEFAULT NOW(),
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
-- Index for filtering by user
CREATE INDEX idx_audit_logs_user_id ON audit_logs(user_id);
-- Index for filtering by operation type
CREATE INDEX idx_audit_logs_operation_type ON audit_logs(operation_type);
-- Index for time-range queries
CREATE INDEX idx_audit_logs_audit_date ON audit_logs(audit_date DESC);
-- Composite index for the most common query pattern
CREATE INDEX idx_audit_logs_user_date
ON audit_logs(user_id, audit_date DESC);
A few design decisions worth noting. The data column uses JSONB rather than a fixed schema. Different event types carry different metadata — a deployment event includes build duration and commit hash, while a user invitation event includes the invitee's email and assigned role. JSONB lets you store structured metadata without adding columns for every event type.
The ip_address_id references a separate geolocation table rather than storing the raw IP inline. This normalizes geolocation data and helps with analytics queries later.
Immutability is the single most important property of an audit log. If someone can modify or delete audit records, the entire trail becomes worthless for compliance and forensics. The CIS Controls v8 (2021) explicitly recommend that log data be protected from unauthorized modification and deletion.
The simplest approach: create a dedicated database role for audit writes that only has INSERT permission.
-- Create a role that can only insert
CREATE ROLE audit_writer;
GRANT INSERT ON audit_logs TO audit_writer;
GRANT USAGE ON SEQUENCE audit_logs_id_seq TO audit_writer;
-- Explicitly deny update and delete
REVOKE UPDATE, DELETE ON audit_logs FROM audit_writer;
-- Your application connects with this role for audit writes
Your application's main database role should have SELECT access for reading audit logs, but write operations should go through the restricted audit_writer role. Even if an attacker gains access to the application database credentials, they can't tamper with existing records.
Beyond database permissions, your application code should enforce immutability:
// Audit log creation -- notice there's no update or delete method
#[async_trait]
pub trait AuditLogger: Send + Sync {
async fn create_audit_log(
&self,
operation: &dyn AuditOperation
) -> Result<()>;
// No update_audit_log method exists
// No delete_audit_log method exists
}
This is exactly how Temps structures its AuditLogger trait. The interface literally doesn't expose methods for modifying or deleting records. You can't accidentally write code that mutates audit history because the API doesn't allow it.
For an extra layer of protection, add a PostgreSQL trigger that blocks updates and deletes entirely:
CREATE OR REPLACE FUNCTION prevent_audit_modification()
RETURNS TRIGGER AS $$
BEGIN
RAISE EXCEPTION
'Audit logs are immutable. Cannot % record id=%',
TG_OP, OLD.id;
RETURN NULL;
END;
$$ LANGUAGE plpgsql;
CREATE TRIGGER audit_logs_immutable
BEFORE UPDATE OR DELETE ON audit_logs
FOR EACH ROW
EXECUTE FUNCTION prevent_audit_modification();
Even a superuser running a manual SQL statement will see an explicit error. This makes accidental deletions nearly impossible and intentional tampering obvious.
But what about the data column? Could someone tamper with the JSONB payload in transit before it's written? That's where structured types help. Define your audit operations as strongly-typed Rust structs (or TypeScript interfaces) and serialize them at write time. No raw JSON construction.
Audit logs grow fast. A mid-size team running 50 deploys per day can generate 500-1,000 audit events daily when you include configuration changes, logins, and access events. The SANS Institute (2014) recommends retaining audit logs for a minimum of one year, with many compliance frameworks requiring three to seven years.
PostgreSQL's native partitioning handles this cleanly. Partition by month so you can drop old partitions without vacuuming:
-- Convert to partitioned table
CREATE TABLE audit_logs_partitioned (
LIKE audit_logs INCLUDING ALL
) PARTITION BY RANGE (audit_date);
-- Create monthly partitions
CREATE TABLE audit_logs_2026_01
PARTITION OF audit_logs_partitioned
FOR VALUES FROM ('2026-01-01') TO ('2026-02-01');
CREATE TABLE audit_logs_2026_02
PARTITION OF audit_logs_partitioned
FOR VALUES FROM ('2026-02-01') TO ('2026-03-01');
CREATE TABLE audit_logs_2026_03
PARTITION OF audit_logs_partitioned
FOR VALUES FROM ('2026-03-01') TO ('2026-04-01');
When a partition exceeds your retention window, you archive it to cold storage (S3, object storage) and then drop it. This is far more efficient than running DELETE on millions of rows.
Not all audit events deserve the same retention period. Consider a tiered approach:
Most teams over-retain in the hot tier and under-retain in the cold tier. You don't need three years of login events in your primary database. But you absolutely need them somewhere for your SOC 2 auditor. The cost difference between PostgreSQL storage and S3 is roughly 10x — plan accordingly.
Audit logs are write-heavy and read-rarely — until something goes wrong. Then you need fast, flexible queries across potentially millions of rows. According to Datadog's State of DevOps Report, teams with searchable audit trails resolve security incidents 60% faster than those relying on unstructured logs.
Here are the queries you'll run most often during incident investigations:
"What changed in the last hour?" — the first question during any outage:
SELECT
al.audit_date,
u.email,
al.operation_type,
al.data
FROM audit_logs al
JOIN users u ON u.id = al.user_id
WHERE al.audit_date > NOW() - INTERVAL '1 hour'
ORDER BY al.audit_date DESC;
"What did this user do?" — after a compromised account is identified:
SELECT
al.audit_date,
al.operation_type,
al.data,
ig.ip_address,
ig.country
FROM audit_logs al
LEFT JOIN ip_geolocations ig ON ig.id = al.ip_address_id
WHERE al.user_id = 42
ORDER BY al.audit_date DESC
LIMIT 100;
"Who touched this project's env vars?" — narrowing down a configuration issue:
SELECT
al.audit_date,
u.email,
al.operation_type,
al.data->>'key_name' AS variable_name
FROM audit_logs al
JOIN users u ON u.id = al.user_id
WHERE al.operation_type LIKE 'environment_variable.%'
AND al.data->>'project_id' = '456'
ORDER BY al.audit_date DESC;
If you're querying the data column frequently, add a GIN index:
CREATE INDEX idx_audit_logs_data
ON audit_logs USING GIN (data);
This makes JSONB containment queries fast:
-- Find all events for a specific project
SELECT * FROM audit_logs
WHERE data @> '{"project_id": "456"}';
Be cautious with GIN indexes on high-write tables, though. They add overhead to every insert. If your write volume is high, consider using targeted expression indexes instead:
-- Index only the project_id field within data
CREATE INDEX idx_audit_logs_project_id
ON audit_logs ((data->>'project_id'));
Command-line access to audit logs is invaluable during incidents. Here's what that looks like in practice:
# List recent audit events
temps audit list --limit 20
# Filter by operation type
temps audit list --type "deployment.created" --limit 50
# View details of a specific event
temps audit show --id evt_a1b2c3d4
Having audit data accessible via CLI means your on-call engineer doesn't need to open a database client or navigate a dashboard during a 2am incident. They can query directly from their terminal.
[IMAGE: Terminal screenshot showing audit log query results in a deployment platform — CLI audit log viewer]
Temps includes audit logging out of the box for every write operation across the platform. There's no setup required, no third-party integration, and no additional cost. Every deployment, configuration change, user action, and infrastructure event generates a structured audit record automatically.
Every handler that performs a write operation in Temps follows the same pattern: execute the business logic, then create an audit record. Here's a simplified version of how it works internally:
// After a successful configuration update
let audit = ConfigUpdatedAudit {
context: AuditContext {
user_id: auth.user_id(),
ip_address: Some(metadata.ip_address.clone()),
user_agent: metadata.user_agent.clone(),
},
setting_key: key.clone(),
previous_value_hash: hash_value(&old_value),
};
// Audit failure never blocks the main operation
if let Err(e) = app_state
.audit_service
.create_audit_log(&audit)
.await
{
error!("Failed to create audit log: {}", e);
}
Notice the pattern: audit log failures are logged but never fail the primary operation. This is a deliberate design choice. If your audit system goes down, you don't want deployments to stop. The error gets captured in application logs, and the team gets notified — but the deploy still goes through.
Every event type implements the AuditOperation trait, which enforces structured data at compile time:
pub trait AuditOperation: Send + Sync {
fn operation_type(&self) -> String;
fn user_id(&self) -> i32;
fn ip_address(&self) -> Option<String>;
fn user_agent(&self) -> &str;
fn serialize(&self) -> Result<String>;
}
This means you can't accidentally create a malformed audit event. The Rust compiler catches missing fields, wrong types, and serialization issues before the code even runs. Compare that to a system where audit events are constructed as raw JSON strings — typos in field names, missing timestamps, and schema drift are inevitable.
Temps enriches audit events with IP geolocation data automatically. The ip_address_id foreign key in the audit log table points to a geolocation record with country, city, and coordinates. During a security investigation, you can immediately spot anomalies: "Why is there a login from a country where we have no employees?"
Temps exposes audit logs through both its REST API and CLI. The data is queryable by time range, operation type, user, and project. Since everything is stored in PostgreSQL with proper indexes, even large audit tables (millions of rows) return results in milliseconds for common query patterns.
A single audit event in PostgreSQL typically uses 500 bytes to 2KB depending on the JSONB metadata. At 1,000 events per day, that's roughly 0.5-2MB daily, or 180-730MB per year.
Partitioning by month and archiving old partitions to object storage keeps database size manageable. S3 costs drop to roughly $0.023/GB/month for archived data. Most deployment platforms won't exceed a few gigabytes per year in their hot tier.
Audit log writes add minimal latency — typically 1-5ms per INSERT on PostgreSQL with proper indexing. The key is making audit writes asynchronous or fire-and-forget. Temps handles this by logging audit failures without blocking the primary operation.
For high-throughput scenarios, batching audit events and writing them in bulk every few seconds reduces per-request overhead further. According to PostgreSQL's official benchmarks, a single instance handles thousands of inserts per second comfortably.
Application logs capture technical events: errors, warnings, debug info, request timings. They're optimized for debugging code issues and typically use unstructured or semi-structured formats.
Audit logs capture business events: who did what, when, to which resource. They're optimized for compliance, security forensics, and change tracking. They use strict schemas and are immutable. You need both — application logs serve developers, while audit logs serve security teams, compliance auditors, and incident investigators.
Yes. Even without compliance requirements, audit logs help you answer "what changed?" when something breaks. They're especially valuable for deployment platforms because so many incidents trace back to configuration changes rather than code bugs. Future you — debugging a production issue at midnight — will thank past you for setting up audit trails. And if your project grows to a team, you'll already have the infrastructure in place.