Cerbos Hub Audit Logs Live in Beta

Audit Logs are now available as a beta feature in Cerbos Hub!

Audit logs capture access records and decisions made by each individual policy decision point (PDP), and bundle it along with all the associated context and data. Whether you’re a developer, security engineer, or product owner, this highly anticipated addition brings new possibilities not only to how you use Cerbos, but to your entire workflow as well.

Audit Logs for Developers, Security Engineers and PMs

For developers, Cerbos Hub Audit Logs provide deep visibility into every decision made by your PDPs, allowing you to quickly debug issues, understand logic paths, and ensure your authorization logic is functioning as intended. From a security standpoint, the feature provides deep insights into every authorization decision, enabling you to track user activities, investigate potential breaches, and meet compliance requirements. For product managers, Cerbos Hub Audit Logs provide detailed visibility into how authorization decisions impact user journeys, enabling you to effectively diagnose access issues, understand user behavior, and make informed data-driven decisions to enhance your product.

Access Logs and Decision Logs

Audit logs come in two flavours: access logs and decision logs.

Access logs are all about API requests, timings, sources—in other words, the standard sorts of request logging things that form the backbone of any monitoring strategy.

Decision logs, on the other hand, are much more interesting. When the PDP makes a decision, audit logs will record not only the outcome of the decision, but all of the context around that event as well.

Cerbos PDP Audit Logs

While this is a beta feature in Hub, the open source Cerbos Policy Decision Point is ready to go! The audit block configuration object currently supports four destinations out of the box. The local backend uses a straightforward key-value store to save audit records locally, which can then be queried directly from the CLI. The file backend generates JSON-formatted logs that are perfect for ingestion by log aggregators such as Datadog or Graylog. The Kafka backend—one of our favourite open source success stories—writes out directly to a Kafka topic, just as you’d expect. The real magic, however, is the all-new Hub backend.

Cerbos Hub Audit Logs

By configuring your PDPs to send audit logs to Cerbos Hub, you get an immediate log aggregation solution to securely collect, store, and query audit logs from across your fleet. Every request, every decision, every bit of metadata—and all of this fully customizable for your particular situation. Are you only interested in denies? No problem. Are you in a regulated environment and you need to mask certain fields? No worries whatsoever. And, since everything is natively Cerbos, the audit logs interface in Hub takes full advantage of the context of each log entry. This means you can deep dive into every decision to understand why it was made, and even which version of the policy was active at the time.

So whether you’re new to Cerbos, or deploying a handful of PDPs to the cloud, or managing a distributed fleet across hundreds of sites, Cerbos Hub Audit Logs has you covered. With this feature, you can achieve faster debugging, enhanced security, and easier compliance verification.