Browse docs
--- title: "Enterprise Audit Logs" description: "Immutable audit trails, retention policies, PII controls, and audit log API for SOC 2, GDPR, and HIPAA compliance." icon: "scroll" ---
Overview
Enterprise audit logs provide immutable, timestamped records of all gateway activity — configuration changes, access events, and API requests. When compliance is enabled, audit logs support immutability guarantees, configurable retention, PII redaction policies, and evidence export for compliance frameworks.
Captured Events
- Configuration changes — Providers, models, keys, guardrails, workflows
- Authentication events — Login, logout, failed attempts, session refresh
- Permission changes — Role assignments, key rotations, user status changes
- Budget modifications — Limit changes, resets, setting updates
- API requests — Model calls with metadata (path, provider, model, tokens, latency, status)
Configuration
Basic Audit Logging
Enabling audit logging is not Enterprise-specific — it works in OSS too. Enterprise adds compliance controls on top.
logging:
enabled: true
log_bodies: false
log_headers: false
only_model_interactions: true
buffer_size: 1000
flush_interval: 5
retention_days: 30LOGGING_ENABLED=true
LOGGING_LOG_BODIES=false
LOGGING_LOG_HEADERS=false
LOGGING_ONLY_MODEL_INTERACTIONS=true
LOGGING_BUFFER_SIZE=1000
LOGGING_FLUSH_INTERVAL=5
LOGGING_RETENTION_DAYS=30Environment Variables
Compliance Controls
With the Enterprise compliance capability enabled, audit logs gain additional controls:
compliance:
enabled: true
audit_immutability: true
data_residency: "us"
pii_logging_policy: "redact" # redact | hash | block
evidence_retention_days: 365
access_review_cadence_days: 90
evidence_export_target: "s3://aurora-compliance-evidence"Retention
Log retention is configurable. Default retention is 30 days (0 = forever). Enterprise supports extended retention periods up to the configured evidence_retention_days.
Log cleanup runs periodically based on retention_days. Records older than the retention window are automatically purged.
Admin API
For endpoint reference see the Admin API section.
curl -H "Authorization: Bearer $AURORA_MASTER_KEY" \
http://your-aurora-host/admin/api/v1/audit?days=7&limit=50Export
See Log Exports for automated export to OTLP, Datadog, webhook, or S3 destinations.
Compliance Frameworks
Aurora Enterprise audit logs support compliance with:
- SOC 2 — Change logging and access tracking
- GDPR — Data access and processing records
- HIPAA — Access and modification audit trail
- ISO 27001 — Logging and monitoring controls