# Configure audit logging

Wallet-as-a-Service (Palisade) can stream all organization activity to an **AWS Data Firehose** delivery stream for compliance reporting, incident investigation, and access review. As an owner or administrator, you configure the Firehose connection and manage audit log delivery. AWS Firehose is currently the only supported delivery target; customers on other clouds must ingest from Firehose into their own platform.

## What audit logs capture

Audit logs record every action in your organization, including:

- All API calls with request and response details
- User actions in the web console (sign-ins, setting changes, approvals)
- Transaction lifecycle events (creation, policy checks, approvals, signing, confirmation)
- Administrative actions (user management, device management, quorum operations)
- Timestamps and the identity of the user or API credential that performed each action


## How it works

Palisade streams audit log events to an **AWS Data Firehose delivery stream** in your AWS account. From there, you route the logs to your preferred destination:

- **Amazon S3** — for long-term storage and compliance archiving
- **Splunk, Datadog, or another SIEM** — for real-time monitoring and alerting
- **Amazon Redshift or Elasticsearch** — for search and analysis


Palisade buffers logs and delivers them approximately every 15 seconds.

## Prerequisites

Before you begin, set up the following in your AWS account:

- An **AWS Data Firehose delivery stream** configured with your preferred destination (S3, Splunk, etc.)
- An **IAM role** that Palisade can assume to write to the Firehose stream


## Configure the Firehose connection

1. Go to **Settings** > **Audit logs**.
2. Enter the **stream name** — the exact name of your Firehose delivery stream (up to 64 characters).
3. Enter the **ARN ID** — the IAM role ARN that Palisade assumes to write to Firehose.
4. Select the **AWS region** that contains your Firehose stream.
5. Select **Save**.


### IAM role setup

Create an IAM role with:

- A **trust policy** that allows Palisade's AWS account to assume the role.
- A **permission policy** that grants `firehose:PutRecord` and `firehose:PutRecordBatch` on your delivery stream.


See [Firehose audit logging](/products/wallet/changelogs/audit-logging-via-firehose) for the full IAM trust and permission policy JSON, including the Palisade AWS account IDs.

## Enable and disable audit logging

After you configure the Firehose connection, enable audit logging to start streaming:

1. Go to **Settings** > **Audit logs**.
2. Select **Enable**.


To temporarily stop streaming, select **Disable**. Palisade preserves the configuration so you can re-enable it at any time.

## Log structure

Each audit log entry is a JSON object containing:

- **Event metadata** — timestamp, event type, request ID
- **Actor information** — user ID or API credential ID that performed the action
- **Request details** — HTTP method, path, request body
- **Response details** — status code, response body
- **Resource information** — the affected resource (wallet, transaction, user, etc.)


See [Firehose audit logging](/products/wallet/changelogs/audit-logging-via-firehose) for the full log schema and example payloads.

## Best practices

- **Route logs to a SIEM** — tools like Splunk, Datadog, or Elastic SIEM let you search, alert on, and visualize audit events in real time.
- **Set retention policies** — configure retention on your Firehose destination (S3 lifecycle rules, Splunk index policies) to meet your compliance requirements.
- **Monitor Firehose delivery** — use AWS CloudWatch metrics for your Firehose stream to detect delivery failures or throttling.
- **Use audit logs for access reviews** — periodically review who is accessing what, which credentials are active, and whether access patterns match expectations.
- **Correlate with freeze and approval events** — cross-reference audit logs with [transaction freeze](/products/wallet/admin-guide/configure-transaction-freeze) and [approval flow](/products/wallet/admin-guide/configure-approval-flows) activity for complete compliance reporting.
- **Separate sandbox and production** — use different Firehose streams and destinations for each environment.


## Limitations

- Palisade delivers audit logs with a small buffer delay (approximately 15 seconds). They aren't suitable for real-time blocking or inline security decisions.
- Log delivery depends on your Firehose stream being available. If AWS throttles the stream or the stream becomes unavailable, Palisade buffers logs and retries delivery.


## Related guides

- [Firehose audit logging](/products/wallet/changelogs/audit-logging-via-firehose) — Full technical reference with IAM policies, log schema, and example payloads
- [Configure backup and recovery](/products/wallet/admin-guide/configure-backup-and-recovery) — Set up AWS infrastructure for backups (similar IAM patterns)