Hydrate Enterprise audit log
Hydrate Enterprise writes an append-only audit stream from the self-hosted Sync Hub. The log is designed for security review, incident response, and change accountability inside the customer’s perimeter.
The Sync Hub is the system of record. Exports to a SIEM are push-style copies of the same event stream.
Schema
Example event:
{
"event_id": "01JZ6Y8T9G9P0J6EQW8X8M5N7D",
"timestamp_utc": "2026-05-17T08:42:13.481Z",
"actor_user_id": "usr_01JZ6Y73D6P2C3Q9P4K6V1V2AB",
"actor_email": "[email protected]",
"actor_workstation_id": "wkstn-mbp-145",
"event_type": "canon.pin",
"target_kind": "canon",
"target_id": "canon_01JZ6Y7Y1NT27Z19WV9E3YJ5Y7",
"project_slug": "payments-api",
"before": {
"pinned": false
},
"after": {
"pinned": true
},
"ip_address": "10.44.18.23",
"user_agent": "hydrate/1.0.0 darwin-arm64",
"sync_hub_node_id": "hub-prod-eu-west-1a",
"hmac_signature": "hmac-sha256-v1:2026-05-17:5b982a0d7f7a0c7b6a0a1d6d7d3f8c8c0b6a9d5c8d8e2b9c0f1a2b3c4d5e6f7a"
}| Field | Description |
|---|---|
event_id | ULID generated by the Sync Hub for this audit event. |
timestamp_utc | ISO-8601 UTC timestamp written by the Sync Hub. |
actor_user_id | Stable Hydrate user ID for the authenticated actor. |
actor_email | Human-readable actor email from SSO or local enterprise identity. |
actor_workstation_id | Customer-controlled workstation identifier reported by the Hydrate client. |
event_type | Event enum value from the catalogue below. |
target_kind | Logical object type: canon, fact, project, or sync. |
target_id | Stable ID of the target object, where applicable. |
project_slug | Customer project namespace affected by the event. |
before | JSON snapshot of relevant fields before the change, or null for create/read events. |
after | JSON snapshot of relevant fields after the change, or null for delete/read events. |
ip_address | Source IP as seen by the Sync Hub or trusted reverse proxy. |
user_agent | Hydrate client or administrative client identifier. |
sync_hub_node_id | Customer-assigned node ID that wrote the event. |
hmac_signature | Versioned HMAC-SHA256 signature over the canonical event payload. |
Event-type catalogue
Canon events
| Event type | When it fires | What it records | Who can see it |
|---|---|---|---|
canon.add | A user creates a new canon item. | Actor, project, canon ID, content metadata, and initial state. | Project admins, security auditors, and users with project audit permission. |
canon.remove | A user removes a canon item. | Actor, project, canon ID, and removed state. | Project admins, security auditors, and users with project audit permission. |
canon.edit | A user edits canon text or metadata. | Actor, project, canon ID, before and after snapshots. | Project admins, security auditors, and users with project audit permission. |
canon.pin | A user pins canon as high-priority context. | Actor, project, canon ID, and pinned state transition. | Project admins, security auditors, and users with project audit permission. |
canon.unpin | A user removes pinned status from canon. | Actor, project, canon ID, and pinned state transition. | Project admins, security auditors, and users with project audit permission. |
Fact events
| Event type | When it fires | What it records | Who can see it |
|---|---|---|---|
fact.add | A fact is created by extraction, import, or manual entry. | Actor or system source, project, fact ID, category, and initial text metadata. | Project admins, security auditors, and users with project audit permission. |
fact.remove | A fact is deleted or forgotten. | Actor, project, fact ID, and removed state. | Project admins, security auditors, and users with project audit permission. |
fact.edit | A fact is manually corrected or reclassified. | Actor, project, fact ID, before and after snapshots. | Project admins, security auditors, and users with project audit permission. |
fact.merge | Two or more facts are merged into one canonical fact. | Actor, project, source fact IDs, resulting fact ID, and merge rationale when provided. | Project admins, security auditors, and users with project audit permission. |
fact.export | A user exports facts from a project. | Actor, project, export format, row count, and destination class. | Project admins, security auditors, and users with project audit permission. |
Project events
| Event type | When it fires | What it records | Who can see it |
|---|---|---|---|
project.create | An admin creates a project namespace. | Actor, project slug, project ID, and initial policy settings. | Organization admins and security auditors. |
project.delete | An admin deletes or archives a project. | Actor, project slug, project ID, and deletion mode. | Organization admins and security auditors. |
project.invite | An admin invites a user or group to a project. | Actor, invited identity, role, project slug, and invite state. | Organization admins, project admins, and security auditors. |
project.revoke | An admin revokes project access. | Actor, removed identity, previous role, and project slug. | Organization admins, project admins, and security auditors. |
Sync events
| Event type | When it fires | What it records | Who can see it |
|---|---|---|---|
sync.push | A workstation pushes local changes to the Sync Hub. | Actor, workstation ID, project, object counts, and commit/checkpoint IDs. | Project admins, security auditors, and the actor. |
sync.pull | A workstation pulls changes from the Sync Hub. | Actor, workstation ID, project, object counts, and checkpoint IDs. | Project admins, security auditors, and the actor. |
sync.conflict_resolved | A user or policy resolves a sync conflict. | Actor or policy, project, conflicting IDs, chosen value, and discarded value metadata. | Project admins, security auditors, and affected contributors. |
Authentication events
| Event type | When it fires | What it records | Who can see it |
|---|---|---|---|
auth.login | A user successfully authenticates to the Sync Hub. | Actor, SSO subject, IP, user agent, and auth method. | Organization admins and security auditors. |
auth.logout | A user explicitly logs out or a session is ended. | Actor, session ID, IP, and user agent. | Organization admins and security auditors. |
auth.token_issued | A Sync Hub token or workstation token is issued. | Actor, token class, workstation ID when applicable, and expiry. | Organization admins and security auditors. |
auth.token_revoked | A token is revoked by a user, admin, or policy. | Actor, token class, revocation reason, and previous expiry. | Organization admins and security auditors. |
Administrative events
| Event type | When it fires | What it records | Who can see it |
|---|---|---|---|
admin.config_change | An admin changes Sync Hub configuration. | Actor, changed keys, previous values when safe, and new values when safe. | Organization admins and security auditors. |
admin.retention_policy_change | An admin changes audit or data retention. | Actor, project, previous retention period, and new retention period. | Organization admins and security auditors. |
admin.user_role_change | An admin changes a user’s organization or project role. | Actor, target user, previous role, new role, and scope. | Organization admins and security auditors. |
Tamper-evidence
Each audit event is signed with HMAC-SHA256 using a per-day rotating key held by the Sync Hub. The signature covers a canonical JSON serialization of every field except hmac_signature.
The signature format is:
hmac-sha256-v1:<yyyy-mm-dd>:<hex signature>The Sync Hub keeps active signing keys for the current day and verification keys for the retention window. A downstream SIEM can verify received events with the exported verification key material or by calling a customer-local verification endpoint. If an event is edited, reordered into an invalid chain, or replayed with a mismatched payload, verification fails.
Customers that need stronger evidence can enable chained signing, where each event includes the previous event’s signature in the HMAC input. Chained signing makes deletion or reordering detectable during batch export verification.
Retention
Default retention on the Sync Hub is 90 days.
Retention is configurable per project:
hydrate admin retention set <project> <days>The Sync Hub enforces retention on its local audit database. SIEM export is push-style and may retain copies longer according to the customer’s SIEM policy.
Right-to-erasure requests under GDPR or CCPA purge actor PII fields (actor_email, SSO subject metadata, and workstation labels where they identify a person) and replace them with a tombstone marker. Hydrate preserves event_id, timestamp_utc, event_type, target_kind, target_id, project_slug, and non-identifying integrity metadata so the audit trail remains coherent.
Export formats
| Format | Use case | Integrity |
|---|---|---|
| syslog RFC 5424 over TLS | SIEM ingestion for Splunk, Sentinel, QRadar, and syslog collectors. | Event-level HMAC signature included as structured data. |
| JSON over HTTPS POST | Customer-owned webhook ingestion. | HMAC-signed request body plus per-event HMAC signatures. |
| Splunk HTTP Event Collector | Direct Splunk ingestion. | Event body wrapped in Splunk event format with Hydrate fields preserved. |
| S3 batch dump | Hourly archival export to customer object storage. | AES-256-GCM encrypted archive delivered through a signed URL or customer bucket credentials. |
What this is NOT
Hydrate audit logging is not a real-time analytics surface. Queries hit the Sync Hub’s audit database, not a streaming analytics pipeline.
Hydrate audit logging is not encrypted at rest by default on the Sync Hub. It relies on customer disk encryption such as LUKS, BitLocker, FileVault, or cloud-provider volume encryption unless --encrypt-at-rest is enabled. Enabling Sync Hub application-layer encryption at rest adds approximately 5-8% write latency.
Hydrate audit logging is not a SIEM replacement. It is the source event stream for Hydrate activity and should be paired with the customer’s existing SIEM, alerting, case management, and retention tooling.