Audit Logging - Jitera

Jitera Self-Hosted records audit logs for security-relevant user and system actions. Logs are written in JSON format to a file inside the Sidekiq pod and can be forwarded to external storage via FluentBit.

Enabling Audit Logs

Audit logging is disabled by default. Enable it in your Helm values:

auditLogs:
  enabled: true

When enabled, a FluentBit sidecar is deployed alongside the Sidekiq container. The sidecar tails the audit log file and forwards entries to the configured output destinations.

Log Structure

Each audit log entry is a JSON object written to /var/log/audit.log inside the Sidekiq pod:

{
  "severity": "AUDIT_ENTERPRISE",
  "timestamp": "2024-10-20T12:00:00.000Z",
  "ip": "192.168.1.100",
  "browser": "Chrome",
  "browser_version": "118.0.5993.88",
  "os": "Mac OS X",
  "event": "signup",
  "user_id": "12345",
  "host": "app.example.com",
  "project_id": "67890",
  "resources": "{\"block_id\":\"123\",\"api_id\":\"456\"}"
}

Required Fields

Every log entry contains these fields:

Field	Type	Description
`event`	String	Event type from the predefined list
`user_id`	String	User ID who triggered the event
`timestamp`	DateTime	ISO 8601 timestamp

Optional Fields

Field	Type	Description
`severity`	String	Log severity (`AUDIT_ENTERPRISE`)
`ip`	String	Client IP address, or `Internal Service` for internal calls
`browser`	String	Browser name, or `Internal Service`
`browser_version`	String	Browser version
`os`	String	Operating system
`host`	String	Request host/domain
`project_id`	String	Project ID associated with the event
`details`	String	Additional event details
`resources`	String (JSON)	Affected resources (serialized JSON)

Event Types

The system tracks the following event categories. The complete list of events is defined in the application source code and may be updated across releases.

Authentication & User

Event	Description
`signup`	User registration
`login`	User login
`logout`	User logout
`sso`	Single Sign-On login
`sso_signup`	SSO registration
`user_settings_updated`	User settings changed
`user_password_changed`	Password changed
`user_mfa_enabled`	MFA enabled
`user_mfa_disabled`	MFA disabled
`user_mfa_verified`	MFA verification succeeded
`user_mfa_failed`	MFA verification failed

Integrations

Event	Description
`git_connected`	Git repository connected
`gitlab_connected`	GitLab connected
`gitlab_conn_failed`	GitLab connection failed

Project Operations

Event	Description
`project_created`	Project created
`project_deleted`	Project deleted
`project_member_invited`	Project member invited
`project_member_added`	Project member added
`git_project_imported`	Project imported from Git
`trigger_project_sync`	Project sync triggered
`trigger_project_import_page_explore`	Project import page exploration
`update_project_import_page`	Project import page updated
`configure_project_plugin`	Project plugin configured

Code Generation & Sync

Event	Description
`code_to_erd_trigger`	Code to ERD conversion
`code_to_natural_language_trigger`	Code to natural language conversion
`trigger_frontend_code_generate`	Frontend code generation
`trigger_api_sync`	API sync triggered
`trigger_business_logic_sync`	Business logic sync triggered

Business Logic & API

Event	Description
`business_logic_to_api`	Business logic added to API
`remove_business_logic_from_api`	Business logic removed from API
`create_new_api`	New API created

Documents

Event	Description
`docs_created`	Document created
`docs_updated`	Document updated
`docs_deleted`	Document deleted
`docs_moved`	Document moved
`docs_renamed`	Document renamed
`docs_folder_deleted`	Document folder deleted
`export_document`	Document exported
`export_folder`	Folder exported
`import_documents`	Documents imported
`triggered_translate`	Translation triggered
`ui_ux_document_trigger`	UI/UX document triggered
`trigger_document_sync`	Document sync triggered

Tickets & Testing

Event	Description
`create_ticket`	Ticket created
`update_ticket_use_cases`	Ticket use cases updated
`trigger_ticket_sync`	Ticket sync triggered
`generate_test_cases`	Test cases generated
`regenerate_test_cases`	Test cases regenerated
`generate_project_import_page_test_cases`	Project import page test cases generated
`delete_test`	Test deleted

UI/Screens

Event	Description
`create_screen_preview`	Screen preview created
`create_screen`	Screen created

Data Management

Event	Description
`create_table_definition`	Table definition created
`bulk_delete_block`	Bulk block deletion

Organization Management

Event	Description
`deactive_organization`	Organization deactivated
`organization_member_invited`	Organization member invited
`organization_member_added`	Organization member added
`organization_member_removed`	Organization member removed
`organization_owner_changed`	Organization owner changed
`organization_integration_configured`	Organization integration configured

Team Management

Event	Description
`team_created`	Team created
`team_updated`	Team updated
`team_deleted`	Team deleted
`team_member_invited`	Team member invited
`team_member_added`	Team member added
`team_member_removed`	Team member removed
`add_members_to_team`	Members added to team

LLM & AI

Event	Description
`create_llm`	LLM created
`update_llm`	LLM updated
`delete_llm`	LLM deleted
`organization_llm_available_updated`	Organization LLM availability updated
`default_company_model_changed`	Default company model changed

Agents & MCP

Event	Description
`agent_created`	Agent created
`agent_updated`	Agent updated
`agent_deleted`	Agent deleted
`agent_model_changed`	Agent model changed
`agent_context_updated`	Agent context updated
`thread_created`	Thread created
`thread_message_sent`	Thread message sent
`subthread_created`	Subthread created
`mcp_server_configured`	MCP server configured
`mcp_tool_registered`	MCP tool registered
`mcp_tool_unregistered`	MCP tool unregistered

Apps

Event	Description
`apps_installed`	App installed
`apps_uninstalled`	App uninstalled
`apps_configured`	App configured
`apps_trigger_register`	App trigger registered

API Keys & Feature Management

Event	Description
`create_api_key`	API key created
`revoke_api_key`	API key revoked
`update_feature_toggle`	Feature toggle updated
`export_token_usage_csv`	Token usage CSV exported

Billing & Subscriptions

Event	Description
`subscription_checkout`	Subscription checkout
`subscription_upgraded`	Subscription upgraded
`subscription_canceled`	Subscription canceled
`subscription_payment_failed`	Subscription payment failed
`seat_quantity_changed`	Seat quantity changed
`billing_portal_accessed`	Billing portal accessed
`plan_config_created`	Plan config created
`plan_config_updated`	Plan config updated

Admin Operations

Event	Description
`admin_organization_activate`	Admin activated organization
`admin_organization_deactivate`	Admin deactivated organization
`admin_organization_create`	Admin created organization
`admin_user_activate`	Admin activated user
`admin_user_deactivate`	Admin deactivated user
`admin_user_delete`	Admin deleted user

Log Forwarding

FluentBit collects audit logs from the Sidekiq pod and forwards them to one or more external destinations. All output destinations are disabled by default.

AWS S3

auditLogs:
  enabled: true
  outputs:
    awsS3:
      enabled: true
      env:
        AWS_REGION: "ap-northeast-1"
        AWS_BUCKET: "your-audit-logs-bucket"

The AWS S3 output uses the same AWS credentials configured in storage.secret.aws. Logs are stored with the key format /%Y/%m/%d.log.

Azure Data Explorer

Forwarding audit logs to Azure Data Explorer (ADX / Kusto) requires Azure-side resources that must exist before the FluentBit sidecar starts. Configuring only the Helm values produces a deployment that looks healthy — the sidecar runs and ingestion calls succeed — but no usable rows appear in the table until every prerequisite below is in place.

ADX is a paid Azure service that bills hourly even when idle. Confirm the cost before enabling — see the Azure Data Explorer pricing page.

Prerequisites

The following must exist on the Azure side before enabling the output. Treat the commands below as examples — refer to the linked Azure documentation for the authoritative procedure for each resource.

Kusto cluster

Provision an Azure Data Explorer cluster. See Create an Azure Data Explorer cluster.

Database

Create a database inside the cluster. The database name is used in AZURE_DATA_EXPLORER_DB_NAME.

Table with the audit-log schema

Run the following KQL inside the database. Column names and types must match exactly — wrong types cause FluentBit to silently drop rows.

.create-merge table audit_logs (
  severity:        string,
  timestamp:       datetime,
  ip:              string,
  browser:         string,
  browser_version: string,
  os:              string,
  event:           string,
  user_id:         string,
  host:            string,
  project_id:      string,
  details:         string,
  resources:       string
)

JSON ingestion mapping

Create an ingestion mapping that tells Kusto how to extract each column from the incoming FluentBit payload. The mapping name is used in AZURE_INGESTION_MAPPING_REFERENCE.

.create-or-alter table audit_logs ingestion json mapping 'audit_logs_mapping'
'['
'{"column":"severity",        "Properties":{"Path":"$.log.severity"}},'
'{"column":"timestamp",       "Properties":{"Path":"$.log.timestamp"}},'
'{"column":"ip",              "Properties":{"Path":"$.log.ip"}},'
'{"column":"browser",         "Properties":{"Path":"$.log.browser"}},'
'{"column":"browser_version", "Properties":{"Path":"$.log.browser_version"}},'
'{"column":"os",              "Properties":{"Path":"$.log.os"}},'
'{"column":"event",           "Properties":{"Path":"$.log.event"}},'
'{"column":"user_id",         "Properties":{"Path":"$.log.user_id"}},'
'{"column":"host",            "Properties":{"Path":"$.log.host"}},'
'{"column":"project_id",      "Properties":{"Path":"$.log.project_id"}},'
'{"column":"details",         "Properties":{"Path":"$.log.details"}},'
'{"column":"resources",       "Properties":{"Path":"$.log.resources"}}'
']'

Paths must start with $.log. (not $.). The Jitera chart’s FluentBit output block sets Log_Key log, which wraps each parsed record under a top-level log key before sending it to Kusto. A mapping that uses $.severity, $.ip, and so on will accept the rows, but every column except timestamp will be empty — with no error in FluentBit logs or in Kusto.

Enable streaming ingestion (recommended)

Without streaming ingestion, rows are batched on a multi-minute schedule. For near-real-time audit visibility, enable the policy on the table:

.alter table audit_logs policy streamingingestion enable

Streaming ingestion must also be enabled at the cluster level. See Streaming ingestion policy.

Entra ID application and database role

Create an Entra ID app registration with a client secret, then grant its service principal the Ingestor role on the database. Database User is not sufficient — Kusto’s ingestion path requires Ingestor specifically.

.add database <db-name> ingestors ('aadapp=<client-id>;<tenant-id>') 'Jitera audit ingestion'

See Manage database security roles for the authoritative procedure.

If your Kusto cluster restricts public network access, add the egress IP of the Kubernetes cluster running Jitera (typically the NAT Gateway public IP) to the cluster’s allowed sources.

Helm values

Once the prerequisites are in place, enable the output:

auditLogs:
  enabled: true
  outputs:
    azureDataExplorer:
      enabled: true
      env:
        # Entra ID tenant of the Kusto cluster.
        # NOTE: The key is misspelled "TANANT" in the current chart — keep it
        # as-is until the chart accepts AZURE_TENANT_ID.
        AZURE_TANANT_ID: "<TENANT_ID>"

        # Use the **ingestion** URI with the `ingest-` prefix —
        # not the query URI shown under "URI" in the Azure portal.
        AZURE_INGESTION_ENDPOINT: "https://ingest-<cluster>.<region>.kusto.windows.net"

        AZURE_DATA_EXPLORER_DB_NAME:       "<DATABASE_NAME>"
        AZURE_INGESTION_TABLE:             "audit_logs"
        AZURE_INGESTION_MAPPING_REFERENCE: "audit_logs_mapping"

        AZURE_DATA_EXPLORER_CLIENT_ID:     "<ENTRA_APP_CLIENT_ID>"
        AZURE_DATA_EXPLORER_CLIENT_SECRET: "<ENTRA_APP_CLIENT_SECRET>"

AZURE_INGESTION_ENDPOINT must use the ingest- prefix — https://ingest-<cluster>.<region>.kusto.windows.net. The query URI shown under “URI” in the Azure portal (without ingest-) returns HTTP 404 from the ingestion API.

The environment variable name AZURE_TANANT_ID is a known misspelling in the Helm chart. Keep this spelling in your values file until the chart is updated; using AZURE_TENANT_ID will leave the FluentBit output unconfigured and silently disable ingestion.

Verifying ingestion

After deploying, confirm rows are arriving:

audit_logs
| take 10
| project timestamp, event, user_id, ip, host

If timestamp is populated but every other column is empty, the ingestion mapping is using $.<field> paths instead of $.log.<field> — re-create the mapping with the corrected paths from the JSON ingestion mapping step above. For FluentBit-side diagnosis:

kubectl -n <namespace> logs <sidekiq-pod> -c fluentbit | grep -i kusto

Reference: FluentBit Azure Kusto output.

Azure Blob Storage

auditLogs:
  enabled: true
  outputs:
    azureBlob:
      enabled: true
      env:
        AZURE_STORAGE_ACCOUNT_NAME: "<STORAGE_ACCOUNT_NAME>"
        AZURE_BLOB_KEY: "<STORAGE_KEY>"
        AZURE_BLOB_CONTAINER: "<CONTAINER_NAME>"

You can enable multiple output destinations simultaneously. For example, you can forward audit logs to both AWS S3 and Azure Data Explorer at the same time.

How It Works

Event trigger - GraphQL mutations or controllers call the audit logging helper
Job queuing - The event is queued to a Sidekiq background job
Processing - The job extracts user agent and IP details from the request context
Validation - Required fields (event, user_id, timestamp) are validated
Logging - A JSON entry is appended to /var/log/audit.log inside the Sidekiq pod
Collection - The FluentBit sidecar tails the log file
Filtering - FluentBit extracts the event field for dynamic tagging
Forwarding - Logs are forwarded to the configured output destinations

Example Log Entries

User signup event

{
  "severity": "AUDIT_ENTERPRISE",
  "timestamp": "2024-10-20T10:30:00.000Z",
  "ip": "203.0.113.45",
  "browser": "Chrome",
  "browser_version": "120.0.0.0",
  "os": "Windows",
  "event": "signup",
  "user_id": "usr_abc123",
  "host": "app.example.com"
}

Code generation event

{
  "severity": "AUDIT_ENTERPRISE",
  "timestamp": "2024-10-20T11:45:00.000Z",
  "ip": "198.51.100.200",
  "browser": "Firefox",
  "browser_version": "119.0",
  "os": "Mac OS X",
  "event": "trigger_frontend_code_generate",
  "user_id": "usr_xyz789",
  "host": "app.example.com",
  "project_id": "proj_123456",
  "resources": "{\"block_id\":\"blk_789\",\"component_type\":\"button\"}"
}

Internal service event

{
  "severity": "AUDIT_ENTERPRISE",
  "timestamp": "2024-10-20T12:00:00.000Z",
  "ip": "Internal Service",
  "browser": "Internal Service",
  "browser_version": "Internal Service",
  "os": "Internal Service",
  "event": "trigger_business_logic_sync",
  "user_id": "usr_def456",
  "project_id": "proj_789012"
}

Release Notes

Documentation Index

​Enabling Audit Logs

​Log Structure

​Required Fields

​Optional Fields

​Event Types

​Authentication & User

​Integrations

​Project Operations

​Code Generation & Sync

​Business Logic & API

​Documents

​Tickets & Testing

​UI/Screens

​Data Management

​Organization Management

​Team Management

​LLM & AI

​Agents & MCP

​Apps

​API Keys & Feature Management

​Billing & Subscriptions

​Admin Operations

​Log Forwarding

​AWS S3

​Azure Data Explorer

​Prerequisites

​Helm values

​Verifying ingestion

​Azure Blob Storage

​How It Works

​Example Log Entries

Enabling Audit Logs

Log Structure

Required Fields

Optional Fields

Event Types

Authentication & User

Integrations

Project Operations

Code Generation & Sync

Business Logic & API

Documents

Tickets & Testing

UI/Screens

Data Management

Organization Management

Team Management

LLM & AI

Agents & MCP

Apps

API Keys & Feature Management

Billing & Subscriptions

Admin Operations

Log Forwarding

AWS S3

Azure Data Explorer

Prerequisites

Helm values

Verifying ingestion

Azure Blob Storage

How It Works

Example Log Entries