System Audit Log

DFIRe maintains an immutable audit log of all system activities. Every action taken by users and the system is recorded with full details, ensuring a complete chain of custody and compliance trail.

Audit Log Records

Each log entry contains the following information:

  • Action type - The type of operation performed (CREATE, UPDATE, DELETE, etc.)
  • Record type - The entity affected by the action (e.g. Case, Item, Attachment, Note, TimelineEvent, User, UserApiKey, Indicator, Settings, SystemBackup, Tenant, Permission, WebhookDelivery, IncomingWebhook)
  • Description - A human-readable description of the change that was made
  • Timestamp - The exact date and time the action occurred, recorded to the second
  • Username - The user who performed the action
  • IP address - The IP address of the client that initiated the request
  • Detailed change data - A structured diff showing OLD and NEW values for all modified fields, providing a complete record of what changed

System events such as heartbeats include health metrics in their change data, covering database status, Redis latency, and queue statistics.

Filtering the Audit Log

The audit log provides a set of filtering controls to help you locate specific entries:

  • Search box - Free-text search across usernames, actions, labels, and content
  • Actions dropdown - Filter by action type (CREATE, UPDATE, DELETE, etc.)
  • Record Types dropdown - Filter by entity type. The dropdown is populated dynamically from the distinct target_model values present in the log.
  • Usernames field - Filter entries by specific users who performed the actions
  • Date Range - Filter entries by a specific time period
  • Reset button - Clears all active filters and returns to the unfiltered view

Immutability and Retention

Audit log records cannot be edited or deleted by any user, including administrators. This ensures a tamper-proof record for compliance and legal purposes. Model-level safeguards raise an exception on any attempt to modify or delete a record after it has been written.

The audit log is append-only. Once written, entries cannot be modified or removed. This is by design to maintain forensic integrity.

Retention

DFIRe never purges audit log entries. The log grows for the lifetime of the installation. If long-term retention or archival is required outside the DFIRe database (for compliance, storage cost, or tamper-evident off-site copies), use the log forwarding feature below to ship entries to an external log aggregation or SIEM system.

System Heartbeats

The system periodically records heartbeat entries that capture a snapshot of system health. Each heartbeat contains:

  • Case statistics - Counts of open, closed, and archived cases
  • Evidence item totals - The total number of evidence items across all cases
  • User activity metrics - Information about active users and session counts
  • Queue health - Pending, failed, and successful task counts for the background task queue
  • Redis and database latency - Response time measurements for core infrastructure services
  • Storage utilization - Current storage consumption and availability
  • System version and uptime - The running application version and how long the system has been operational

These heartbeat entries provide a historical record of system health over time, allowing administrators to identify trends and diagnose issues retroactively.

Compliance, Export, and External Log Forwarding

The audit log supports regulatory compliance requirements including GDPR, PCI DSS, and other frameworks that mandate activity logging and traceability. All recorded events include sufficient detail to satisfy audit and reporting obligations.

Log Forwarding

DFIRe can forward audit log entries to an external log aggregation or SIEM system over HTTPS. Configure this under Settings > Log Integration. Key properties:

  • Transport — HTTPS POST to a configurable endpoint. Plain HTTP is rejected.
  • Payload formats — JSON Batch (for generic webhook receivers), NDJSON (Logstash / Fluentd), Elasticsearch Bulk (OpenSearch / ELK _bulk), or New Relic.
  • Authentication — HTTP Basic Auth or custom headers (e.g. a Bearer token). Credentials and headers are encrypted at rest.
  • Ordered delivery — cursor-based tracking ensures each log entry is sent exactly once, in order.
  • Backfill — on first enable, you can choose to send all historical logs or start from the current point.
  • Reliability — batch size, timeout, retry count, and circuit-breaker threshold are configurable. A circuit breaker opens after a configurable number of consecutive failures to avoid hammering a broken endpoint.
  • Delivery log — recent delivery attempts are visible for debugging (request timing, response code, error messages).

Forwarding is the recommended way to achieve long-term retention off the DFIRe server, since DFIRe itself never purges audit entries. See Integrations for additional integration documentation.