Audit Logging
Honeyframe maintains a comprehensive audit log of all significant administrative and data access events within the platform. This trail provides organization administrators with the visibility needed for compliance reviews, security investigations, and usage monitoring.
Overview
Every audit log entry captures:
- Who: The user who performed the action.
- What: The specific action performed (e.g.,
project.edit,login). - Where: The resource affected (resource type and ID) and the caller's IP address.
- When: An ISO 8601 timestamp of the event.
- Context: Structured JSON details about the event.
Data Schema
Audit events are stored in the honeyframe.audit_log table:
| Column | Type | Description |
|---|---|---|
log_id | SERIAL | Unique identifier for the log entry. |
created_at | TIMESTAMP | Event timestamp (UTC). |
user_id | INTEGER | User who performed the action. |
action | TEXT | Dot-separated action code (e.g., dashboard.edit). |
resource_type | TEXT | Type of resource (e.g., dashboard, dataset). |
resource_id | TEXT | Unique identifier of the resource. |
details | JSONB | Structured event-specific metadata. |
ip_address | TEXT | Originating IP address of the request. |
Event Categories
For high-level reporting and visualization, audit actions are grouped into seven coarse categories:
- Admin Override: Administrative shortcuts (e.g., an admin viewing a private project).
- Auth: Authentication events (login, logout, password resets).
- Dashboard: Creations, modifications, and deletions of dashboards and cards.
- Dataset: All data-related operations, including recipes and flows.
- Notebook: Notebook execution and management.
- Agent: Interactions with AI agents and chat features.
- Entity: Healthcare-specific entity resolution and search events.
Audit Viewer
Organization administrators can access the Audit Viewer via the platform's Security settings.
Search and Filtering
The viewer supports multi-axis search:
- Action Search: Filter by exact action code or category.
- User Filter: View events for a specific user.
- Date Range: Filter by ISO 8601 timestamps.
- Free-text Search: A substring search across actions, resources, details, and user names.
Audit Timeline
The top of the Audit Viewer features a daily event timeline.
- Sparkline: Shows overall activity trends.
- Stacked Mode: Color-coded breakdown by category to identify spikes in specific areas (e.g., auth failures or admin overrides).
Compliance Reporting (CSV Export)
Administrators can export the filtered view of the audit log as a CSV file for external reporting.
- Human-readable Labels: Exports include an
action_labelcolumn that translates internal codes into plain English (e.g.,Admin override · read). - Export Ceiling: Exports are capped at 100,000 rows to ensure platform stability. A warning is appended to the file if truncation occurs.
Real-time Integration (Webhooks)
Audit events are streamed in real-time to external systems via the audit.event webhook channel. When an event is logged, Honeyframe emits a JSON payload to all subscribed endpoints for that organization. This allows for real-time alerting or ingestion into external SIEM tools.
See paas/backend/middleware/audit_middleware.py for the implementation of the logging service.