TL;DR
Audit logging tracks who changed what data and when. These prompts help you implement audit trails using database triggers, application-level logging, or ORM middleware. Essential for compliance, debugging, and security incident investigation.
Database Trigger Approach
Create PostgreSQL audit triggers for my tables.
Tables to audit: users, posts, payments
Audit log should capture:
- Table name
- Operation (INSERT, UPDATE, DELETE)
- Old values (for UPDATE/DELETE)
- New values (for INSERT/UPDATE)
- User who made the change
- Timestamp
- Client IP if available
Create:
- audit_log table schema
- Generic trigger function that works for any table
- Trigger creation for each table
- Helper function to query audit history
Store old/new values as JSONB for flexibility. Include indexes for common queries (by table, by user, by time).
Application-Level Audit
Add audit logging at the application level.
ORM: Prisma/Sequelize/TypeORM/Drizzle
Create middleware/hooks that:
- Intercept all write operations
- Capture before/after state
- Log the authenticated user
- Include request context (IP, user agent)
- Write to audit table or external service
For Prisma specifically:
- Use middleware or Prisma Client extensions
- Handle nested writes correctly
- Capture the user from request context
Output format should include:
- Entity type and ID
- Action performed
- Changed fields only (not entire record)
- Actor information
- Timestamp with timezone
Soft Delete with History
Implement soft delete with full history tracking.
Instead of deleting records:
- Add deletedAt timestamp column
- Add deletedBy user reference
- Filter out deleted records by default
- Allow admins to view deleted records
- Implement restore functionality
Also create a history table pattern:
- users_history stores all versions
- Each update creates a new history row
- Can reconstruct state at any point in time
Include:
- Migration to add soft delete columns
- Query helpers to include/exclude deleted
- History table schema and triggers
- Restore function
Audit logs should be immutable: Never allow UPDATE or DELETE on audit tables. Use separate credentials with INSERT-only permissions for the audit connection.
Compliance-Ready Audit
Create audit logging suitable for compliance requirements.
Compliance needs: SOC2/HIPAA/GDPR/PCI-DSS
Requirements:
- All access to sensitive data is logged
- Logs cannot be modified or deleted
- Logs are retained for required period
- Can demonstrate who accessed what
- Failed access attempts are logged
Implement:
- Read access logging (not just writes)
- Login/logout audit trail
- Permission change logging
- Data export/download logging
- Failed authentication attempts
Include:
- Log retention policy
- Log integrity verification (checksums)
- Secure log storage recommendations
- Sample compliance report queries
Pro tip: Consider using a separate database or external service for audit logs. This prevents audit logs from being deleted if the main database is compromised and improves query performance.
Should I audit all tables or just sensitive ones?
Start with sensitive data (users, payments, permissions). Auditing everything creates storage and performance overhead. Add more tables based on compliance requirements or incident needs.
How long should I keep audit logs?
Depends on compliance requirements. SOC2 typically requires 1 year, HIPAA requires 6 years, financial regulations may require 7 years. When in doubt, keep them longer.