Skip to main content

What is logged

Every significant event in Enclave produces an audit log entry:
CategoryEvents
AuthenticationLogin, logout, failed login, MFA events
File operationsUpload, download, rename, delete, share
Room managementCreate, archive, delete, member added/removed
Key managementKey wrap, unwrap, rotation
User managementInvite, role change, clearance change, deactivation
Access reviewsReview started, decision (approved/revoked), review closed
Admin actionsOrg Unit changes, policy changes

Log integrity

Each log entry is cryptographically signed using an Ed25519 key held in Enclave’s signing HSM. The signature covers:
  • Event type
  • Actor (user ID)
  • Target (resource ID)
  • Timestamp (UTC, nanosecond precision)
  • Previous entry hash (chain hash)
The chain hash links each entry to the one before it. Any modification to a historical entry breaks the chain — tampering is detectable.

Verifying the audit log

You can verify the integrity of any log export: 
# Download the audit log export from Enclave (JSON Lines format)
# Each line is one event with a detached signature

enclave-verify audit-log --file export.jsonl --public-key enclave-signing.pub
The verification tool is open source and available at github.com/quelden/enclave-verify.

Exporting logs

Logs can be exported from Settings → Audit Log → Export:
  • Format — JSON Lines (one event per line), CSV
  • Date range — filter by start and end date
  • Event types — filter by category
  • User — filter by specific actor
Exports are signed. The export itself carries a manifest signature covering all included entries.

SIEM integration

Enclave can stream audit events to your SIEM in real time via webhook:
  1. Navigate to Settings → Audit Log → SIEM Integration
  2. Enter your webhook endpoint URL
  3. Select event categories to stream
  4. Click Save — Enclave will send a test event to verify connectivity
Events are delivered as signed JSON payloads. Retries are attempted for 24 hours on failed delivery. Tested integrations:
  • Splunk HTTP Event Collector
  • Elastic / OpenSearch
  • Microsoft Sentinel
  • Sumo Logic
  • Datadog Log Management

Retention

TierRetentionNotes
Hot (queryable)90 daysFull search and filter in UI
Cold (archived)7 yearsDownloadable exports only
Retention periods can be extended on request for regulatory requirements. Logs cannot be shortened below 7 years for SOC 2 Type II compliance.