Search
The Audit Service provides full-text search over audit events using Elasticsearch. The AuditSearchService indexes events in Elasticsearch as AuditEventDocument objects and supports complex search queries with filters, facets, and highlighting.
Search Endpoint
Endpoint: POST /api/v1/audit/search
curl -X POST http://localhost:8086/api/v1/audit/search \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ${TOKEN}" \
-d '{
"query": "dashboard.create",
"tenantId": "550e8400-e29b-41d4-a716-446655440000",
"eventTypes": ["CREATE", "UPDATE"],
"resourceTypes": ["dashboard"],
"startTime": "2026-02-01T00:00:00Z",
"endTime": "2026-02-12T23:59:59Z",
"page": 0,
"size": 50
}'AuditSearchRequest Parameters
| Field | Type | Description |
|---|---|---|
query | String | Free-text search query |
tenantId | UUID | Filter by tenant |
eventTypes | List | Filter by event types |
actorIds | List | Filter by actor IDs |
resourceTypes | List | Filter by resource types |
severities | List | Filter by severity levels |
startTime | Instant | Start of time range |
endTime | Instant | End of time range |
success | Boolean | Filter by success/failure |
page | int | Page number (0-based) |
size | int | Page size |
AuditSearchResponse Structure
{
"totalHits": 142,
"page": 0,
"size": 50,
"events": [
{
"id": "770e8400-e29b-41d4-a716-446655440000",
"tenantId": "550e8400-e29b-41d4-a716-446655440000",
"eventType": "CREATE",
"action": "dashboard.create",
"actorEmail": "admin@acme.com",
"resourceType": "dashboard",
"resourceId": "dash-001",
"severity": "INFO",
"success": true,
"createdAt": "2026-02-12T10:30:00Z"
}
]
}Elasticsearch Document Model
The AuditEventDocument is the Elasticsearch representation of an audit event. It is indexed with the following mappings:
| Field | ES Type | Analyzed |
|---|---|---|
id | keyword | No |
tenantId | keyword | No |
eventType | keyword | No |
action | text + keyword | Yes |
actorEmail | text + keyword | Yes |
resourceType | keyword | No |
resourceId | keyword | No |
resourceName | text | Yes |
ipAddress | ip | No |
correlationId | keyword | No |
severity | keyword | No |
errorMessage | text | Yes |
createdAt | date | No |
metadata | object | Yes |
Indexing Architecture
Events are indexed into Elasticsearch through two paths:
- Synchronous: When events are created via
POST /api/v1/audit/events, they are indexed inline after database persistence - Asynchronous: When events are created via Kafka (
POST /api/v1/audit/events/async), the Kafka consumer indexes them in Elasticsearch after processing
The Elasticsearch configuration is managed by ElasticsearchConfig which sets up the RestHighLevelClient connection.
Search Repositories
| Repository | Purpose |
|---|---|
AuditEventRepository | JPA repository for PostgreSQL queries |
AuditEventSearchRepository | Spring Data Elasticsearch repository for full-text search |
PostgreSQL is the primary store of record for audit events. Elasticsearch serves as a secondary index optimized for full-text search. If Elasticsearch is unavailable, events are still persisted to PostgreSQL and can be queried through the standard REST endpoints.