Logging & Audit
Logs explain runtime events, audit findings summarize repeated deny behavior, and wiretap shows live traffic.
Operators usually need three different evidence sources:
- logs for runtime events and failures
- audit findings for repeated policy outcomes
- wiretap for live traffic confirmation
Treat them as complementary tools rather than interchangeable ones.
Logs
Logs are the process-oriented event stream. Use them for:
- startup failures
- component crashes
- explicit runtime errors
- integration failures
The runtime supports plain and JSON log output through:
NEUWERK_LOG_LEVELRUST_LOGNEUWERK_LOG_FORMAT
Audit Findings
Audit findings are structured records about repeated deny or auth-related events. They are not raw packet captures.
Audit queries depend on performance mode. If performance mode is disabled, the audit API is unavailable until it is re-enabled.
Current finding types include:
dns_denyl4_denytls_denyicmp_denyauth_sso
Use audit when you want to answer questions like:
- which source group is being denied most often
- which hostname or destination is being blocked
- whether a rollout changed deny patterns
Wiretap
Wiretap is for live observation rather than long-term history.
Use it when you need to:
- confirm what is happening right now
- compare real traffic against expected policy
- investigate intermittent behavior that is not obvious from counters
Wiretap also depends on performance mode. If performance mode is disabled, the stream endpoint is unavailable.
Storage Boundaries
Audit history is persisted. Logs and wiretap are operational streams.
That distinction matters:
- audit is useful for historical evidence and trend review
- logs are useful for runtime diagnosis
- wiretap is useful for immediate live confirmation
Practical Investigation Order
When policy behavior looks wrong:
- check audit findings for repeated denies
- use wiretap if you need live confirmation
- read logs for runtime or integration errors
That sequence usually separates a real policy decision from a component failure.