Audit logging: immutable trail with SIEM export

[mikemcdougall]

Context

Compliance teams require immutable audit trails. Esri's audit capabilities are limited and expensive.

Scope

• Immutable append-only audit log: who queried/edited what, when, from where
• Structured events: user, action, resource, timestamp, source IP, result
• SIEM export: Splunk, Datadog, Elastic (webhook or log forwarding)
• Retention policies: configurable retention period, archival to object storage
• Admin UI: audit log viewer with filtering and search
• No performance impact on ungated Community endpoints

References

• ADR-0024: Enterprise tier feature (Audit Logging pillar)
• ADR-0020: Previously deferred as MVP operational deferral