Zuplo Audit Logs
Zuplo's Audit Logs feature gives you a complete audit trail of your API with a single policy: the gateway records a structured event for every request, stores the events for you, and makes them available in the Zuplo Portal and through the Zuplo API.
Enterprise Feature
Audit Logs is available as an add-on as part of an enterprise plan. If you would like to purchase this feature, please contact us at sales@zuplo.com or reach out to your account manager.
Most enterprise features can be used in a trial mode for a limited time. Feel free to use enterprise features for development and testing purposes.
How it works
Add the Audit Logs policy to any route and the gateway records one structured audit event per request — who made the request, what they called, and the outcome. You can also emit your own custom events (for example, "account deleted") from handlers and custom policies. Every event follows the CloudEvents 1.0 format.
Zuplo stores the events for you, grouped by environment — production, preview, and working copy environments each write to their own bucket. You don't need a database, logging service, or any other infrastructure of your own.
Recording audit events
Automatic request events
Add the policy to the routes you want audited. Typically that's any route that modifies data, though depending on your API you may want it on sensitive read operations as well (for example, retrieving a secret).
Code
Each request through the policy produces an event of type
com.zuplo.api.request capturing the actor, HTTP method and path, response
status, caller IP address, and geolocation.
Audit events can contain personal or sensitive data. The policy's include
options let you turn off individual fields (query parameters, user identity, IP
address, geolocation) to satisfy your own data-handling and personally
identifiable information (PII) policies, and samplingRate lets you capture
only a fraction of requests on high-volume routes. See the
policy reference for all options.
Custom events
Beyond the automatic per-request event, record your own domain events from a
handler or custom policy with the static AuditLogInboundPolicy.log() method.
Only type is required — Zuplo fills in the actor, timestamp, request ID, and
other context fields automatically from the request:
Code
Audit logging is best-effort by design: log() never throws and never blocks or
fails the request, even if an event can't be recorded.
Viewing audit logs in the portal
To browse and search your audit logs, open your project's Services page in the Zuplo Portal and select the Audit Logs tile for the environment you want to inspect.
The events view lets you:
- Filter events by time range, event type, actor, and subject
- See the top event types and most active actors for the selected window
- Select any event to inspect the full event payload
Querying audit logs with the API
Everything in the portal is backed by the Zuplo API, so you can query audit logs programmatically — for scripting, custom dashboards, or exporting to other systems. Authenticate with a Zuplo API key and query events by bucket name. Your bucket name is shown on the Services page in the portal (it's the same bucket used by the API Key Service).
Code
Code
Two endpoints are available:
- Query events —
GET /v1/audit-logs/{bucketId}/eventsreturns matching events, filterable bytype,actorSub,subject, and time range. - Aggregated stats —
GET /v1/audit-logs/{bucketId}/statsreturns top-N event counts grouped by event type or actor.
The bucketId path parameter accepts either the bucket ID or the bucket name.
Each query is limited to a 30-day window between startDate and endDate. See
the Audit Logs API reference for all parameters and
response schemas.
Exporting audit logs to a SIEM
Many organizations centralize audit trails in a SIEM (Splunk, Microsoft Sentinel, Datadog Cloud SIEM, and so on) to correlate API activity with other security signals, drive alerting, and meet long-term retention requirements. The events API is designed for this: run a scheduled job that pulls new events since its last checkpoint and forwards them to your SIEM.
Code
Because every event is a CloudEvents document, most SIEMs can ingest the payload directly without transformation.
Alternatively, if you'd rather send audit events to an external audit provider directly from the gateway instead of storing them in Zuplo, see Custom Audit Logs.
Related resources
- Audit logging overview — why audit logging matters and how the options compare
- Audit Logs policy reference — all configuration options, custom event fields, and the full event shape
- Audit Logs API reference — query events and stats programmatically
- Account audit logs — the audit trail of your Zuplo account itself