1. Introduction
Corbado’s Audit Log provides comprehensive event logging with a flexible custom format designed to meet your organization’s compliance and regulatory requirements. This logging system captures and securely stores all critical events across the authentication infrastructure, providing complete visibility into user activities, administrative actions, and system operations.Corbado also maintains a separate Security Log using the standardized OCSF format, optimized for SIEM integration. While some events appear in both logs, the Audit Log uses a custom format that can be tailored to specific compliance requirements.
1.1 Audit Log vs. Security Log
Corbado provides two separate logging systems that serve different purposes:| Aspect | Audit Log | Security Log |
|---|---|---|
| Format | Custom format | OCSF 1.6.0 (standardized) |
| Primary Purpose | Compliance & regulatory requirements | SIEM integration, security monitoring |
| Best For | Auditors, compliance officers, regulatory audits | Security teams, SOC analysts, threat detection |
| Event Coverage | Broader custom events for compliance needs | IAM events using OCSF classes |
| Flexibility | High (customizable for specific requirements) | Standardized (vendor-agnostic) |
- Meeting specific compliance framework requirements (ISO 27001, SOC 2, HIPAA)
- Custom audit trail requirements
- Regulatory reporting with specific data fields
- Long-term compliance record keeping
- Integrating with SIEM platforms (Splunk, Datadog, etc.)
- Real-time security monitoring and alerting
- Standardized security event analysis
- Cross-platform security correlation
1.2 Key Features
- Flexible Custom Format: Tailored event structure to meet specific compliance and regulatory requirements
- Complete Event Coverage: Audit logs are automatically generated for all relevant event types, including authentication events, user management operations, and administrative changes
- Compliance-Ready: Designed to align with major compliance frameworks (e.g. ISO 27001, SOC 2, and HIPAA)
- Tamper-Proof Storage: All audit logs are stored using Write-Once-Read-Many (WORM) technology, ensuring data integrity and preventing unauthorized modifications
- Long-Term Retention: Audit logs are retained for up to 10 years, depending on your requirements
- Real-Time Streaming: Stream audit log events to external systems for real-time monitoring and analysis
Audit logs can be customized for Enterprise Plus customers with private cloud deployments to support extended information requirements, such as HIPAA compliance data or financial transaction details when using passkeys for payment authentication.
2. Event Types
Corbado captures audit log events from different operational areas to provide comprehensive visibility into the authentication infrastructure. The audit log covers the following event categories:- Authentication Events: User login attempts, passkey operations, among others
- User Management Events: User creation, updates, status changes, plus additional user-related activities
- Administrative Events: Configuration changes like Gradual Rollout rule updates, and similar operations
Authentication events are logged for all user interactions across your entire authentication infrastructure. This includes both end-users of your application using Corbado Connect and administrative users accessing the Corbado Management Console. All authentication attempts, whether successful or failed, are captured with full context to ensure complete audit coverage and support security investigations.
3. Streaming
All audit log events can be streamed in real-time to external systems for monitoring, analysis, and compliance purposes. Our streaming implementation includes robust retry logic to ensure reliable delivery of audit events.3.1. Supported Destinations
Corbado supports streaming to the following systems:- Amazon EventBridge
- Coralogix
- Datadog
- Dynatrace
- Elastic
- Honeycomb
- LogicMonitor
- New Relic
- Snowflake
- Splunk
- Sumo Logic