Audit & Compliance
Concourse logs security-relevant events to a separate audit database for SOC 2 Type II compliance.
What gets logged
Section titled “What gets logged”| Action | Description |
|---|---|
login | Successful login |
login_failed | Failed login attempt |
permission_denied | Unauthorized access attempt |
user.created | User created |
user.updated | User role changed |
user.deleted | User deleted |
board.created | Board created |
workspace.created | Workspace created |
workspace_member.added | Member added to workspace |
relay.created | Relay registered |
agent.created | Agent created |
connection.query | SQL query executed via relay |
connection.introspect | Schema introspection via relay |
Each event includes: timestamp, actor (user ID, email, IP), action, resource type/ID, outcome, and request ID.
Separate audit database
Section titled “Separate audit database”The audit database is separate from the primary application database. This provides tamper resistance — application-level database access cannot modify audit records.
Default: file:///data/audit.db (SQLite on the same volume).
For production: consider using a remote Turso instance: AUDIT_DATABASE_URL=libsql://audit-db.turso.io
SIEM webhook integration
Section titled “SIEM webhook integration”Forward audit events to your SIEM or security monitoring system:
audit: webhook: enabled: true url: https://siem.example.com/api/events headers: Authorization: Bearer ${AUDIT_WEBHOOK_TOKEN} batch_size: 100 flush_interval_secs: 5 timeout_secs: 30Events are batched (default 100 events or 5 seconds, whichever comes first) and POSTed as JSON arrays. Webhook failures are logged but do not block request processing.
%3btext-align:center%3b%7d%23mermaid-0 .edgeLabel p%7bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3b%7d%23mermaid-0 .edgeLabel rect%7bopacity:0.5%3bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3bfill:rgba(232%2c232%2c232%2c 0.8)%3b%7d%23mermaid-0 .labelBkg%7bbackground-color:rgba(232%2c 232%2c 232%2c 0.5)%3b%7d%23mermaid-0 .cluster rect%7bfill:%23ffffde%3bstroke:%23aaaa33%3bstroke-width:1px%3b%7d%23mermaid-0 .cluster text%7bfill:%23333%3b%7d%23mermaid-0 .cluster span%7bcolor:%23333%3b%7d%23mermaid-0 div.mermaidTooltip%7bposition:absolute%3btext-align:center%3bmax-width:200px%3bpadding:2px%3bfont-family:arial%2csans-serif%3bfont-size:12px%3bbackground:hsl(80%2c 100%25%2c 96.2745098039%25)%3bborder:1px solid %23aaaa33%3bborder-radius:2px%3bpointer-events:none%3bz-index:100%3b%7d%23mermaid-0 .flowchartTitleText%7btext-anchor:middle%3bfont-size:18px%3bfill:%23333%3b%7d%23mermaid-0 rect.text%7bfill:none%3bstroke-width:0%3b%7d%23mermaid-0 .icon-shape%2c%23mermaid-0 .image-shape%7bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3btext-align:center%3b%7d%23mermaid-0 .icon-shape p%2c%23mermaid-0 .image-shape p%7bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3bpadding:2px%3b%7d%23mermaid-0 .icon-shape .label rect%2c%23mermaid-0 .image-shape .label rect%7bopacity:0.5%3bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3bfill:rgba(232%2c232%2c232%2c 0.8)%3b%7d%23mermaid-0 .label-icon%7bdisplay:inline-block%3bheight:1em%3boverflow:visible%3bvertical-align:-0.125em%3b%7d%23mermaid-0 .node .label-icon path%7bfill:currentColor%3bstroke:revert%3bstroke-width:revert%3b%7d%23mermaid-0 :root%7b--mermaid-font-family:arial%2csans-serif%3b%7d%3c/style%3e%3cg%3e%3cmarker id='mermaid-0_flowchart-v2-pointEnd' class='marker flowchart-v2' viewBox='0 0 10 10' refX='5' refY='5' markerUnits='userSpaceOnUse' markerWidth='8' markerHeight='8' orient='auto'%3e%3cpath d='M 0 0 L 10 5 L 0 10 z' class='arrowMarkerPath' style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-0_flowchart-v2-pointStart' class='marker flowchart-v2' viewBox='0 0 10 10' refX='4.5' refY='5' markerUnits='userSpaceOnUse' markerWidth='8' markerHeight='8' orient='auto'%3e%3cpath d='M 0 5 L 10 10 L 10 0 z' class='arrowMarkerPath' style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-0_flowchart-v2-circleEnd' class='marker flowchart-v2' viewBox='0 0 10 10' refX='11' refY='5' markerUnits='userSpaceOnUse' markerWidth='11' markerHeight='11' orient='auto'%3e%3ccircle cx='5' cy='5' r='5' class='arrowMarkerPath' style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-0_flowchart-v2-circleStart' class='marker flowchart-v2' viewBox='0 0 10 10' refX='-1' refY='5' markerUnits='userSpaceOnUse' markerWidth='11' markerHeight='11' orient='auto'%3e%3ccircle cx='5' cy='5' r='5' class='arrowMarkerPath' style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-0_flowchart-v2-crossEnd' class='marker cross flowchart-v2' viewBox='0 0 11 11' refX='12' refY='5.2' markerUnits='userSpaceOnUse' markerWidth='11' markerHeight='11' orient='auto'%3e%3cpath d='M 1%2c1 l 9%2c9 M 10%2c1 l -9%2c9' class='arrowMarkerPath' style='stroke-width: 2%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-0_flowchart-v2-crossStart' class='marker cross flowchart-v2' viewBox='0 0 11 11' refX='-1' refY='5.2' markerUnits='userSpaceOnUse' markerWidth='11' markerHeight='11' orient='auto'%3e%3cpath d='M 1%2c1 l 9%2c9 M 10%2c1 l -9%2c9' class='arrowMarkerPath' style='stroke-width: 2%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cg class='root'%3e%3cg class='clusters'/%3e%3cg class='edgePaths'%3e%3cpath d='M127.594%2c87L134.28%2c87C140.966%2c87%2c154.339%2c87%2c167.044%2c87C179.75%2c87%2c191.789%2c87%2c197.809%2c87L203.828%2c87' id='L_Handler_Emitter_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_Handler_Emitter_0' data-points='W3sieCI6MTI3LjU5Mzc1LCJ5Ijo4N30seyJ4IjoxNjcuNzEwOTM3NSwieSI6ODd9LHsieCI6MjA3LjgyODEyNSwieSI6ODd9XQ==' marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)'/%3e%3cpath d='M335.962%2c60L344.039%2c55.833C352.115%2c51.667%2c368.269%2c43.333%2c384.048%2c39.167C399.828%2c35%2c415.234%2c35%2c422.938%2c35L430.641%2c35' id='L_Emitter_SQLite_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_Emitter_SQLite_0' data-points='W3sieCI6MzM1Ljk2MTgzODk0MjMwNzcsInkiOjYwfSx7IngiOjM4NC40MjE4NzUsInkiOjM1fSx7IngiOjQzNC42NDA2MjUsInkiOjM1fV0=' marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)'/%3e%3cpath d='M335.962%2c114L344.039%2c118.167C352.115%2c122.333%2c368.269%2c130.667%2c379.845%2c134.833C391.422%2c139%2c398.422%2c139%2c401.922%2c139L405.422%2c139' id='L_Emitter_Webhook_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_Emitter_Webhook_0' data-points='W3sieCI6MzM1Ljk2MTgzODk0MjMwNzcsInkiOjExNH0seyJ4IjozODQuNDIxODc1LCJ5IjoxMzl9LHsieCI6NDA5LjQyMTg3NSwieSI6MTM5fV0=' marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)'/%3e%3c/g%3e%3cg class='edgeLabels'%3e%3cg class='edgeLabel' transform='translate(167.7109375%2c 87)'%3e%3cg class='label' data-id='L_Handler_Emitter_0' transform='translate(-15.1171875%2c -12)'%3e%3cforeignObject width='30.234375' height='24'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3cp%3eemit%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg class='label' data-id='L_Emitter_SQLite_0' transform='translate(0%2c 0)'%3e%3cforeignObject width='0' height='0'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg class='label' data-id='L_Emitter_Webhook_0' transform='translate(0%2c 0)'%3e%3cforeignObject width='0' height='0'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3cg class='nodes'%3e%3cg class='node default' id='flowchart-Handler-0' transform='translate(67.796875%2c 87)'%3e%3crect class='basic label-container' style='' x='-59.796875' y='-27' width='119.59375' height='54'/%3e%3cg class='label' style='' transform='translate(-29.796875%2c -12)'%3e%3crect/%3e%3cforeignObject width='59.59375' height='24'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eRequest%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-Emitter-1' transform='translate(283.625%2c 87)'%3e%3crect class='basic label-container' style='' x='-75.796875' y='-27' width='151.59375' height='54'/%3e%3cg class='label' style='' transform='translate(-45.796875%2c -12)'%3e%3crect/%3e%3cforeignObject width='91.59375' height='24'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eAudit Emitter%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-SQLite-3' transform='translate(530.4296875%2c 35)'%3e%3crect class='basic label-container' style='' x='-95.7890625' y='-27' width='191.578125' height='54'/%3e%3cg class='label' style='' transform='translate(-65.7890625%2c -12)'%3e%3crect/%3e%3cforeignObject width='131.578125' height='24'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eAudit DB (primary)%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-Webhook-5' transform='translate(530.4296875%2c 139)'%3e%3crect class='basic label-container' style='' x='-121.0078125' y='-27' width='242.015625' height='54'/%3e%3cg class='label' style='' transform='translate(-91.0078125%2c -12)'%3e%3crect/%3e%3cforeignObject width='182.015625' height='24'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eSIEM Webhook (optional)%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/svg%3e)
Client IP tracking
Section titled “Client IP tracking”Audit events record the client IP address. If Concourse is behind a reverse proxy, ensure the proxy sets X-Forwarded-For or X-Real-IP headers so the correct client IP is logged.