Skip to content

feat: scheduled audit log cleanup with configurable retention period #539

Open
Open
feat: scheduled audit log cleanup with configurable retention period#539
Labels
enhancementNew feature or requestv2Authorizer v2 roadmap
@lakhansamani

Description

@lakhansamani
lakhansamani
opened on Apr 3, 2026

Problem

Audit logs accumulate over time and need a retention policy. Without automated cleanup, the audit log table will grow unbounded, impacting storage costs and query performance.

Proposed Solution

Add a scheduled audit log cleanup that:

  1. New CLI flag: --audit-log-retention-period (duration string, default 8760h = 1 year)

    • PCI DSS requires at least 12 months of audit log history, so 1 year is the safe default
    • Set to 0 to disable cleanup (retain forever)
    • Examples: 8760h (1 year), 2160h (90 days), 720h (30 days)

  2. Background scheduler: Periodically runs DeleteAuditLogsBefore(now - retentionPeriod)

    • Recommended interval: once per day (configurable via --audit-log-cleanup-interval, default 24h)
    • Runs as a goroutine within the server process (no external cron needed)
    • Logs the number of deleted entries at Info level

  3. Storage method: DeleteAuditLogsBefore(ctx, before int64) already exists in all 13+ DB providers

Implementation Notes

Config changes (internal/config/)

AuditLogRetentionPeriod  time.Duration // default 8760h (1 year)
AuditLogCleanupInterval  time.Duration // default 24h

CLI flags (cmd/root.go)

--audit-log-retention-period  Duration after which audit logs are deleted (default: 8760h)
--audit-log-cleanup-interval  How often the cleanup runs (default: 24h)

Scheduler (internal/scheduler/ or within server startup)

  • Use time.Ticker for periodic execution
  • Call StorageProvider.DeleteAuditLogsBefore(ctx, time.Now().Add(-retentionPeriod).Unix())
  • Graceful shutdown via context cancellation

Compliance notes

  • PCI DSS 10.7: Retain audit trail history for at least 12 months
  • SOC 2: Typically requires 1 year retention
  • HIPAA: 6 years for certain records, but 1 year for audit logs is standard
  • Default of 1 year satisfies PCI DSS and SOC 2 out of the box

Test plan

  • Unit test for scheduler start/stop lifecycle
  • Integration test: create old logs, run cleanup, verify deletion
  • Test with retention period 0 (disabled) — no logs should be deleted
  • Test CLI flag parsing for duration values

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestv2Authorizer v2 roadmap

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions