Audit Logs

Locktera records audit events for all container operations. Audit metadata is cryptographically associated with the container, ensuring audit records remain reliable and verifiable.

Audit logs provide a complete record of access attempts, including successful access and denied access. These logs support compliance, monitoring, and forensic analysis.

Audit logging is automatic and cannot be disabled. Audit events are generated before access is granted or denied, ensuring a complete and reliable record of all access attempts.

What Is Logged

Locktera records audit events for operations such as:

• Container creation
• Container access attempts
• Successful container decoding
• Denied access attempts
• Access policy changes
• Container deletion

Each audit event is associated with a specific container_id.

Audit Event Data

Audit events include information such as:

• Container ID
• User identity
• Timestamp
• Operation performed
• Access result (allowed or denied)
• Request origin (IP address, when available)

Example audit event:

{
    "id": "123e4567-e89b-12d3-a456-426614174002",
    "org_id": "123e4567-e89b-12d3-a456-426614174000",
    "container_id": "123e4567-e89b-12d3-a456-426614174001",
    "creator_ip": "192.168.0.1",
    "user": "jane.doe@example.com",
    "created_date": "2026-01-01T15:00:00.000Z",
    "action": "container.load"
}

Example denied access event:

{
    "id": "123e4567-e89b-12d3-a456-426614174002",
    "org_id": "123e4567-e89b-12d3-a456-426614174000",
    "container_id": "123e4567-e89b-12d3-a456-426614174001",
    "creator_ip": "192.168.0.127",
    "user": "john.doe@example.com",
    "created_date": "2026-01-02T15:00:00.000Z",
    "action": "drm.fail"
}

Common event_type values include:

container.create
container.load
object.load
drm.fail
container.changeDrm

Retrieving Audit Logs

Audit logs can be retrieved using the audit endpoint:

GET /users/{user_id}/containers/{container_id}/events

Example request:

curl -X GET $BASE_URL/users/YOUR_USER_ID/containers/CONTAINER_ID/events \
  -H "Authorization: Bearer YOUR_API_KEY"

Example response:

[
  {
    "id": "123e4567-e89b-12d3-a456-426614174002",
    "action": "container.create",
    "user": "user@company.com",
    "timestamp": "2026-02-19T18:42:00Z"
  },
  {
    "event_id": "123e4567-e89b-12d3-a456-426614174003",
    "event_type": "drm.fail",
    "user": "unauthorized.user@company.com"
    "timestamp": "2026-02-19T18:45:00Z"
  }
]

When Audit Events Are Created

An audit event is created whenever:

• A container is created
• A container is accessed
• A container decode is attempted
• Access is denied
• Access policies are modified
• A container is deleted

Audit events are created regardless of whether access is allowed or denied.

Audit Log Security

Audit logs are protected and cannot be modified through the API.

They provide a reliable record of container activity. Audit events are append-only and cannot be modified or deleted.

Audit logs can be used for:

• Compliance reporting
• Security monitoring
• Incident investigation
• Access verification

Summary

Audit logs provide a complete record of container activity.

They record:

• Who accessed a container
• When access occurred
• What action was performed
• Whether access was allowed or denied

Audit logs enable monitoring, compliance, and forensic analysis of container access.