1. Introduction

Corbado provides comprehensive audit logging capabilities designed to meet your organization’s compliance and security requirements. Our audit logging system captures and securely stores all critical events across the authentication infrastructure, providing complete visibility into user activities, administrative actions, and system operations. Key features of Corbado’s audit logging include:
  • Complete Event Coverage: Audit logs are automatically generated for all relevant event types, including authentication events, user management operations, and administrative changes
  • Compliance-Ready: Designed to align with major compliance frameworks (e.g. ISO 27001 and SOC 2)
  • Tamper-Proof Storage: All audit logs are stored using Write-Once-Read-Many (WORM) technology, ensuring data integrity and preventing unauthorized modifications
  • Long-Term Retention: Audit logs are retained for up to 10 years, depending on your requirements
  • Real-Time Streaming: Stream audit log events to external systems like SIEM platforms for real-time monitoring and analysis
This audit logging system provides the foundation for maintaining security oversight, meeting regulatory requirements, and supporting forensic investigations when needed.
Audit logs can be customized for Enterprise Plus customers with private cloud deployments to support extended information requirements, such as HIPAA compliance data or financial transaction details when using passkeys for payment authentication.

2. Event Types

Corbado captures audit log events from different operational areas to provide comprehensive visibility into the authentication infrastructure. The audit log covers the following event categories:
  • Authentication Events: User login attempts, passkey operations, among others
  • User Management Events: User creation, updates, status changes, plus additional user-related activities
  • Administrative Events: Configuration changes like Gradual Rollout rule updates, and similar operations
Each event includes detailed metadata such as timestamps, user identifiers, and contextual information for full traceability.
Authentication events are logged for all user interactions across your entire authentication infrastructure. This includes both end-users of your application using Corbado Connect and administrative users accessing the Corbado Management Console. All authentication attempts, whether successful or failed, are captured with full context to ensure complete audit coverage and support security investigations.

3. Streaming

All audit log events can be streamed in real-time to external systems for monitoring, analysis, and compliance purposes. Our streaming implementation includes robust retry logic to ensure reliable delivery of audit events. This capability is particularly useful for feeding audit log events into your SIEM (Security Information and Event Management) system for centralized security monitoring and alerting.

3.1. Supported Destinations

Corbado supports streaming to the following systems:
  • Coralogix
  • Datadog
  • Dynatrace
  • Elastic
  • Honeycomb
  • LogicMonitor
  • New Relic
  • Snowflake
  • Splunk
  • Sumo Logic
Additionally, you can stream events to a HTTP endpoint, providing maximum flexibility to connect audit logs to any system of your choice.