Skip to content

ADR 0005 - Centralized Audit Platform and Action Inventory

Date: 2026-02-07 Status: Accepted

Context

We need a single place to ingest and store audit events across services, configure SIEM streaming, and provide a stable filter inventory for UI while preserving flexibility as new services emit new actions.

Decision

  • Create a centralized Audit Service as the system of record for audit events.
  • Producer services use an outbox pattern to ensure reliable delivery.
  • Accept all audit events even if action names are nonconforming.
  • Inventory action names that match the naming convention and track discovered vs canonical.
  • Provide APIs for canonical action lists and tagging.
  • Support tenant-scoped and workspace-scoped SIEM sinks with tenant admin governance.

Consequences

  • Auditing becomes a platform concern with consistent querying and external log shipping.
  • UI can offer canonical filters while still exposing discovered actions.
  • Misnamed actions are retained but not inventoried, reducing UI noise.

Alternatives considered

  • Per-service audit tables (rejected: fragmented log shipping and querying).
  • Hard-coded action list only (rejected: slows iteration and misses new actions).