Recipe: Event-Sourced Audit Log
This recipe records everything that happens as an immutable, queryable event stream. Events flow through a queue for ordering and buffering, land in a timeseries store keyed by time, and a document renders human-readable audit reports from the same data. Append-only in, time-ordered out.
The problem it solves
“Who did what, when?” is a question every serious system has to answer, and the worst time to discover you cannot is during an incident or an audit. Sprinkling log statements around does not give you an ordered, queryable, retention-managed record. This recipe makes the audit trail a deliberate pipeline: every event is captured, time-stamped, and kept exactly as long as you decide.
Elements
| Element | Role |
|---|---|
queue | Orders and buffers the incoming event stream. |
timeseries | Append-only, time-keyed store of every event. |
document | Renders human-readable audit reports from the stored events. |
Flow
- Create a
queueas the ingest point. As things happen across your circle,publishan event to the queue; it orders and buffers them so a burst of activity never drops or reorders the record. Watch depth withqueue_stats. - Create a
timeseriesstore. As events drain from the queue,inserteach one keyed by its timestamp — this is your append-only log. - Query the history. Use
rangefor the raw events in a window (the audit detail),queryfor an aggregated view (“how many of event X per hour”), anddownsampleto roll older data into coarser buckets. - Set how long the record lives with the timeseries
retentionoperation — your compliance window, declared once, enforced automatically. - Produce reports with a
document:writea page that summarizes a query result, thenrenderit to HTML for a readable, shareable audit report.
What this shows
The two halves of an audit trail want different stores, and this recipe uses the right one for each: the queue guarantees ordered, lossless ingest, and the timeseries element is purpose-built for append-only, time-keyed data with range/query/downsample access and a real retention policy — so the log is queryable and bounded, not an ever-growing text file. Rendering reports from a document over the same data means the human view and the machine record never diverge. The whole trail is event-sourced: you never mutate history, you only append to it and read it back.