All posts
August 25, 20222 min read

Immutable Audit Logs with Open Policy Agent (OPA)

Audit logs play a critical role in understanding what happens in your systems. They give you the transparency you need to troubleshoot, maintain compliance, and increase accountability. But to truly trust your logs, they must be immutable—unchangeable and tamper-proof. Combining Open Policy Agent (OPA) with a thoughtful logging strategy can help you achieve exactly that. This post explores how to implement immutable audit logs using Open Policy Agent. By the end, you'll see how this approach en

Free White Paper

Open Policy Agent (OPA) + Kubernetes Audit Logs: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

Audit logs play a critical role in understanding what happens in your systems. They give you the transparency you need to troubleshoot, maintain compliance, and increase accountability. But to truly trust your logs, they must be immutable—unchangeable and tamper-proof. Combining Open Policy Agent (OPA) with a thoughtful logging strategy can help you achieve exactly that.

This post explores how to implement immutable audit logs using Open Policy Agent. By the end, you'll see how this approach ensures audits you can trust without jeopardizing performance or flexibility.

What Are Immutable Audit Logs?

An immutable audit log means that once an event is logged, it cannot be changed or deleted. This is a security measure against accidental deletion or malicious tampering. Immutable logs are commonly needed for regulatory compliance, security investigations, or debugging production systems, where you're dealing with sensitive or critical operations.

For example, auditing authentication attempts, API usage, or database changes are tasks that often demand a reliable record. Audit logs that lack immutability leave gaps in your audit trail and reduce credibility during sensitive scenarios, like compliance audits.

Why Pair Open Policy Agent with Immutable Logs?

OPA is a general-purpose policy engine often used to enforce policies in cloud-native and distributed environments. While most associate OPA with policy decisions for authorization, it extends powerfully to logging.

Here's why OPA shines for immutable audit logs:

  1. Declarative Control: OPA policies are written in Rego, a declarative language. With it, you define what rules warrant logging, rather than hardcoding logging logic into your applications.
  2. Dynamic Policy Updates: You can update logging rules dynamically without redeploying systems, ensuring logs adapt as compliance or business needs evolve.
  3. Standardization of Behavior: OPA centralizes and standardizes logging rules across services, eliminating inconsistencies in how logs are captured.

Building Immutable Audit Logs with Open Policy Agent

Follow these steps to design and implement a robust immutable audit log using OPA.

1. Define Events to Audit

The foundation of a strong audit system is knowing what needs to be logged. Common examples include:

  • API requests, especially sensitive actions like account deletions
  • Policy violations (e.g., unauthorized access attempts)
  • Significant configuration or code changes

For instance:

Continue reading? Get the full guide.

Open Policy Agent (OPA) + Kubernetes Audit Logs: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.
package audit

should_audit {
 input.method == "DELETE"
}

should_audit {
 input.action == "login_attempt"
}

This script marks delete requests and login attempts for auditing.

2. Log Events Unconditionally

Ensure that once an event meets your logging rule, it is captured without fail. Direct logs to an immutable storage layer, like append-only databases (often called Write-Ahead Logs) or external logging solutions, which can implement versioning and integrity checks.

In an OPA decision:

package audit

default log_event = false

log_event {
 should_audit
}

OPA can provide the log_event signal, which downstream services consume to write to the storage.

3. Secure the Audit Log

Immutable storage relies on cryptographic protections such as hashing and signed certificates to prevent tampering. Combine these with storage solutions that implement strict write-once policies. Popular tools for immutable logs include:

  • Amazon S3 with Object Lock
  • HashiCorp Vault audit logs
  • Elasticsearch with strict write policies

OPA integrates well with these systems, enabling consistent logging behavior.

Challenges of Immutable Audit Logging (And Solutions)

Performance Overheads

Adding immutability and OPA logic may necessitate extra overhead. To offset this:

  • Write logs asynchronously
  • Decouple logging policies from the request-response path

Maintaining Security

The immutability guarantee is only as strong as the storage backend. Always pair OPA policies with cryptographic integrity checks.

Policy Management

Complex cases may grow hard to manage. Use version-controlled Rego policies and automated CI pipelines to avoid human error.

See It in Action

Building immutable audit logs doesn’t have to take weeks of custom development. Hoop.dev makes combining Open Policy Agent policies with observability tooling fast and approachable. In just minutes, you can configure OPA to log critical events directly and securely.

Want to see how it works? Try Hoop.dev now and experience immutability with zero hassle.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts