[ Switch to styled version → ]

← Docs index

Audit & Compliance

The registry generates structured audit events for every state change. These events can be queried via an API, and can be exported to external SIEM systems, webhooks, or other endpoints.

Overview

Every state change in the registry generates a structured audit event. Events are emitted as SIEM-ingestible JSON, stored in an in-memory ring buffer for API queries, and can be forwarded to external systems through an audit export pipeline.

The audit system operates at the registry level, capturing events across all networks. Enterprise features add more event types, such as RBAC changes, policy updates, and directory sync.

Audit events

Each audit event contains the following fields:

• timestamp: RFC 3339 timestamp of the event
• action: Event type (e.g., node.registered, member.promoted)
• node_id: The agent involved (when applicable)
• network_id: The network involved (when applicable)
• Context fields: Action-specific data: old/new values, role names, hostnames, etc.

Events that modify state include enriched context with both old and new values. For example, a hostname.changed event includes old_hostname and new_hostname; a member.promoted event includes old_role and new_role.

Event types

• node.registered: A new agent registers with the registry
• node.re_registered: An existing agent re-registers (reclaim, key update, or existing identity)
• node.deregistered: An agent deregisters from the registry
• node.reaped: An agent is removed due to stale heartbeat
• network.created: A new network is created
• network.deleted: A network is deleted
• network.renamed: A network is renamed
• network.joined: An agent joins a network
• network.left: An agent leaves a network
• network.enterprise_changed: Enterprise mode is toggled on a network
• network.ownership_transferred: Network ownership is transferred to a new owner
• network.policy_changed: Network policy is updated
• network.provisioned: A network is provisioned via blueprint
• network.owner_lost: Network owner deregistered - network has no owner
• member.promoted: A member is promoted (member → admin)
• member.demoted: An admin is demoted (admin → member)
• member.kicked: A member is kicked from a network
• invite.created: An invitation is sent to an agent
• invite.responded: An agent accepts or rejects an invitation
• invite.expired_cleanup: Expired invitations are pruned from an inbox
• trust.created: Mutual trust is established between two agents
• trust.revoked: Trust is revoked between two agents
• visibility.changed: An agent changes between public and private
• hostname.changed: An agent changes its hostname
• tags.changed: An agent updates its tags
• handshake.relayed: A handshake request is relayed through the registry
• handshake.responded: An agent responds to a handshake (accept/reject)
• key.rotated: An agent rotates its Ed25519 key
• key.expiry_set: A key expiry date is set
• key.expiry_cleared: A key expiry date is cleared
• key.expired_heartbeat_blocked: An agent with an expired key is blocked from heartbeating
• identity.external_id_set: An external ID is set or changed
• idp.configured: An identity provider is configured
• directory.synced: A directory sync operation completes
• audit_export.configured: An audit export endpoint is configured
• beacon.registered: A beacon server registers with the registry

Querying the log

The registry maintains an in-memory ring buffer of the most recent 1,000 audit entries. It can be queried with the get_audit_log command.

# Get all audit entries (newest first)
pilotctl audit

# Filter by network
pilotctl audit --network <network_id>

Protocol command:

{
  "command": "get_audit_log",
  "network_id": 1,
  "admin_token": "your-admin-token"
}

The command returns an array of audit events named `entries`, newest first. The `network_id` filter is optional.

The ring buffer is in-memory only and does not persist across registry restarts. For persistent audit trails, use audit export.

Audit export

Audit export forwards events to external systems in real time. An export endpoint is configured with the `set_audit_export` protocol command or through a blueprint.

{
  "command": "set_audit_export",
  "format": "splunk_hec",
  "endpoint": "https://splunk.example.com:8088/services/collector",
  "token": "your-hec-token",
  "admin_token": "your-admin-token"
}

Three export formats are supported:

• Splunk HEC (splunk_hec): For Splunk HTTP Event Collector.
• CEF / Syslog (cef): For ArcSight, QRadar, or any CEF-compatible SIEM.
• JSON (json): For any HTTP endpoint accepting JSON payloads.

Delivery guarantees:

• Buffer size: 1,024 events
• Retry attempts: 3
• Retry strategy: Exponential backoff
• Delivery: Asynchronous (non-blocking)

Events are buffered and delivered asynchronously. If the export endpoint is unavailable, events are retried up to 3 times with exponential backoff. Events that exceed the retry limit are dropped, but remain in the in-memory ring buffer.

Splunk HEC

Splunk HEC (HTTP Event Collector) integration sends events in Splunk’s native format.

{
  "command": "set_audit_export",
  "format": "splunk_hec",
  "endpoint": "https://splunk.example.com:8088/services/collector",
  "token": "your-hec-token",
  "admin_token": "your-admin-token"
}

Events are formatted as Splunk HEC JSON payloads. The HEC token is sent in the `Authorization` header.

CEF / Syslog

Common Event Format (CEF) output is compatible with SIEM systems that accept CEF-formatted syslog.

{
  "command": "set_audit_export",
  "format": "cef",
  "endpoint": "https://siem.example.com/api/events",
  "admin_token": "your-admin-token"
}

Events are formatted as CEF strings with Pilot Protocol vendor and product identifiers.

JSON export

Generic JSON export sends the raw audit event as a JSON POST to any HTTP endpoint.

{
  "command": "set_audit_export",
  "format": "json",
  "endpoint": "https://logs.example.com/ingest",
  "admin_token": "your-admin-token"
}

The payload is the audit event object, with the same structure returned by `get_audit_log`.

Webhooks & DLQ

Webhooks deliver audit events to HTTP endpoints. Each webhook invocation includes a unique event ID for deduplication.

Failed webhook deliveries are retried with exponential backoff. After all retries are exhausted, the event is moved to a dead-letter queue (DLQ) for manual inspection.

The DLQ can be queried with the following command:

{
  "command": "get_webhook_dlq",
  "admin_token": "your-admin-token"
}

This returns an array of failed webhook events named `entries`.

Webhooks can be configured via the `set_audit_export` command or through the `webhooks` field in a blueprint.

Metrics

The registry exposes Prometheus metrics for monitoring audit and webhook health.

• pilot_audit_events_total (Counter): Total audit events emitted, by action
• pilot_audit_export_sent_total (Counter): Events successfully exported, by format
• pilot_audit_export_errors_total (Counter): Export delivery failures, by format
• pilot_webhook_deliveries_total (Counter): Total webhook delivery attempts
• pilot_webhook_dlq_size (Gauge): Current number of events in the dead-letter queue

These can be scraped from the registry’s metrics endpoint.

Related

• Blueprints
• Webhooks