Audit Playbook — Who Did What, When¶
AKKO captures audit events from 6 sources into a centralized logs layer log store, queryable via Dashboards.
Audit Sources¶
| Source | What is captured | logs layer label | LogQL filter |
|---|---|---|---|
| PostgreSQL (pgaudit) | SELECT, INSERT, UPDATE, DELETE with user + statement | app="akko-postgres" |
\|= "AUDIT" |
| Keycloak | LOGIN, LOGOUT, LOGIN_ERROR, token grants | app="akko-keycloak" |
\|= "type=" |
| Trino | Every completed query (user, SQL, duration, rows) | app="akko-ai-service" |
\|= "TRINO_QUERY" |
| object storage | S3 API calls (GET, PUT, DELETE on buckets/objects) | app="akko-ai-service" |
\|= "MINIO_ACCESS" |
| OPA | Authorization decisions (allow/deny per policy) | app="akko-opa" |
\|= "decision" |
| Airflow/Superset | Flask-AppBuilder auth events | app="akko-api-server" / app="superset" |
\|= "security" |
Dashboards Dashboard¶
Open Dashboards → Dashboards → AKKO Audit Trail (/d/akko-audit-trail/).
6 panels: 1. Keycloak Auth Events 2. Trino Query Audit 3. PostgreSQL Audit (pgaudit) 4. object storage Access Audit 5. OPA Authorization Decisions 6. Audit Event Volume (stacked bar chart)
Common Queries¶
Who accessed table X?¶
Who ran queries in the last hour?¶
Failed logins?¶
Who downloaded files from object storage?¶
Retention¶
Default: 7 days (logs layer filesystem storage). Configure in values-dev.yaml under loki.loki.config.limits_config.retention_period.
For production (90+ days), use S3 backend for logs layer storage.
Export to SIEM¶
logs layer supports forwarding to external systems: - Elasticsearch: use log shipper output plugin or logs layer ruler - Splunk: use log shipper syslog output - Webhook: configure logs layer ruler alerts to POST to any endpoint