Audit Trail

Available in ≥ 3.6.0-funcrel

Overview

The platform records audit events for key application and domain lifecycle operations. Each event captures who performed the action, the outcome, and details about the affected resource.

Audited operations

Application events

Each application operation produces two events - one when the action is requested and one when it completes:

Operation	Events produced
Delete application	`CREATED` on request - `SUCCESS` / `FAILURE` / `CANCELED` on completion
Rename application	`CREATED` on request - `SUCCESS` / `FAILURE` / `CANCELED` on completion
Fast scan	`CREATED` on request - `SUCCESS` / `FAILURE` / `CANCELED` on completion
Deep analysis	`CREATED` on request - `SUCCESS` / `FAILURE` / `CANCELED` on completion
Import application to Imaging Viewer	`CREATED` on request - `SUCCESS` / `FAILURE` / `CANCELED` on completion

Domain events

Domain operations produce a single event on completion:

Event type	Fired when
`CREATE_DOMAIN`	A new domain is created
`UPDATE_DOMAIN`	A domain is renamed
`DELETE_DOMAIN`	A domain is deleted
`ATTACH_DOMAIN`	One or more applications are moved to a domain

Event schema

Each event is stored as a single JSON entry containing the following fields:

Field	Description
`id`	Unique event identifier
`eventTime`	Timestamp (UTC)
`type`	Operation type
`username`	User who performed the action
`userId`	User identifier
`userRole`	Role of the user
`tenantId`	Tenant identifier
`tenantDisplayName`	Tenant display name
`sourceIp`	IP address of the caller
`serviceName`	Internal service that recorded the event
`result`	`CREATED`, `SUCCESS`, `FAILURE`, or `CANCELED`
`message`	Description of the operation
`payload`	Event-specific details - see payload contents below

Payload contents by event type:

Most application lifecycle events: applicationGuid and applicationName
RENAME_APP (CREATED): applicationGuid, oldName, and newName
Domain events (CREATE_DOMAIN, UPDATE_DOMAIN, DELETE_DOMAIN): domainGuid and domainName
ATTACH_DOMAIN: domainGuid only (empty string if applications are being cleared from a domain)

Not all fields are present in every event. Fields such as userId, userRole, and sourceIp may be absent depending on which internal service recorded the event.

File location

The audit trail is written to a flat text file. The location depends on your deployment configuration. The file is stored inside the common-data folder:

Microsoft Windows: C:\cast-node\common-data\audit-trail\audit-events.txt
Linux: /opt/cast/shared/common-data/audit-trail/audit-events.txt

File rotation

The active audit file is always named audit-events.txt.
When the file reaches 10 MB, it is automatically renamed with a timestamp (e.g. audit-events-2025-03-11T01-00-00-000Z.txt) and a new audit-events.txt is created.
No events are lost during rotation.
The size threshold is configurable in application.yml of the control-panel component - see Configuration below.

File purge

A scheduled job runs daily at 01:00 and deletes rotated files older than 90 days.
The active audit-events.txt is never deleted, regardless of age.
The retention period is configurable in application.yml of the control-panel component - see Configuration below.

Configuration

Audit behaviour is controlled by settings in the control-panel component (part of imaging-services). Available settings include:

Setting	Description	Default
`application.audit.file-max-size-bytes`	Maximum size of `audit-events.txt` before rotation	`10485760` (10 MB)
`application.audit.purge-days`	Number of days to retain rotated audit files	`90`

Microsoft Windows

The settings are located in the application.yml file located here:

%PROGRAMFILES%\CAST\Imaging\CAST-Imaging-Control-Panel\

For example:

application.audit.file-max-size-bytes: Maximum size of audit-events.txt before rotation (10485760 (10 MB) by default)
application.audit.purge-days: Number of days to retain rotated audit files (90 by default)

After saving your changes, restart the CAST-Imaging-Control-Panel Windows service for them to take effect.

Docker/Podman/Kubernetes

The settings are located inside the control-panel container (part of imaging-services) and need to be added to a docker-compose.override.yml located here:

/opt/cast/installation/imaging-viewer/

For example:

services:
    control-panel:
        environment:
          - AUDIT_FILE_MAX_SIZE_BYTES=10485760    # Maximum size of `audit-events.txt` before rotation (`10485760` (10 MB) by default)
          - AUDIT_FILE_PURGE_DAYS=90              # Number of days to retain rotated audit files (`90` by default)

Run the following to restart the imaging-services containers and ensure the parameters are taken into account:

$ cd /opt/cast/installation/imaging-viewer    # navigate to the required installation folder    
$ sudo docker compose down                    # stop the containers
$ sudo docker compose up -d                   # start the containers in detached mode
$ sudo docker ps                              # check containers are running