Skip to main content
NOFire AI automatically tracks security-relevant actions across your platform and exports audit logs to your S3 bucket for compliance and security reviews.

What Gets Logged

NOFire AI logs actions that modify data or involve authentication:
  • Authentication: Login, logout, session events
  • API keys: Creation and deletion (individual API calls using a key are not logged, but the actor is identified as the API key)
  • Integrations: Connection creation, updates, removal (validation errors are logged, but explicit test actions are not)
  • Investigations: Resolve, feedback, incident creation, postmortem generation
Read-only operations (viewing dashboards, listing resources) are not logged to keep audit trails focused and actionable. All audit events are automatically exported to your S3 bucket daily.

Audit Event Schema

Every audit event includes:
FieldDescription
timeWhen the action occurred (ISO 8601 UTC)
actor_idWho performed the action (email or API key ID)
actor_typeType of actor: user, api_key, or system
actionWhat happened: create, write, delete, login, logout, etc.
resource_typeWhat was affected: connections, investigations, api_keys, etc.
resource_idUnique identifier of the affected resource
successWhether the operation succeeded (true/false)
ip_addressSource IP address
user_agentBrowser or client identifier
metadataAdditional context (request IDs, failure reasons, etc.)
Example audit event: 
{
  "id": "550e8400-e29b-41d4-a716-446655440000",
  "time": "2026-01-17T10:30:00Z",
  "actor_id": "[email protected]",
  "actor_type": "user",
  "action": "create",
  "resource_type": "api_keys",
  "resource_id": "api-key-abc123",
  "success": true,
  "ip_address": "203.0.113.42",
  "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)",
  "metadata": {
    "request_id": "req_xyz789",
    "key_name": "Production API Key"
  }
}

S3 Export

Automatically export your audit logs to your own S3 bucket for long-term retention and compliance archival.

How It Works

  1. Configure S3 connection: Provide your bucket name and IAM role
  2. Daily exports: NOFire exports previous day’s logs every night
  3. Compressed format: Logs are gzipped JSONL (one JSON object per line)
  4. Organized structure: Files use Hive-style partitioning for easy querying

Export Path Format

s3://{your-bucket}/{prefix}/year=2026/month=01/day=17/audit.jsonl.gz
Example path: 
s3://acme-corp-audit-logs/nofire/year=2026/month=01/day=17/audit.jsonl.gz
This structure works seamlessly with AWS Athena, Snowflake, and other analytics tools.

IAM Role Setup

Grant NOFire cross-account access to write audit logs to your S3 bucket: 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:PutObjectAcl"
      ],
      "Resource": "arn:aws:s3:::your-bucket/nofire/*"
    }
  ]
}
Trust policy: 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::593113792344:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "your-external-id"
        }
      }
    }
  ]
}
Use the External ID provided in the NOFire AI dashboard when configuring your audit export connection.

Retention Policy

Audit logs are retained based on your plan:
  • In-platform access: 7 days (configurable up to 90 days)
  • S3 exports: Indefinite (you control retention in your bucket)
After the retention period, logs are automatically deleted from NOFire’s systems. S3 exports remain in your bucket until you delete them.
Compliance tip: Configure S3 lifecycle policies to archive logs to Glacier for cost-effective long-term retention.

Use Cases

Compliance Audits

Access complete audit trail for compliance reviews:
  • All logs automatically exported to your S3 bucket
  • Query with Athena: SELECT * FROM audit_logs WHERE action = 'delete'
  • Industry-standard format works with any analytics tool

Security Investigations

Review historical activity during security incidents:
  • Who accessed what resources and when
  • Failed login attempts and their sources
  • Unauthorized access attempts

Access Reviews

Track API key usage and identify security risks:
  • When keys were created and by whom
  • Last usage timestamps for each key
  • Identify unused or overprivileged keys

Change Tracking

Maintain complete history of configuration changes:
  • Who modified integration settings
  • When connections were added or removed
  • Changes to user permissions and roles

Best Practices

Enable S3 export immediately: Don’t wait until you need historical logs for compliance or investigation. Configure S3 export on day one. Set up S3 lifecycle policies: Archive older logs to Glacier after 90 days for cost optimization while maintaining compliance. Query efficiently: Use narrow time ranges and resource filters to reduce query time and data transfer. Monitor export status: Set up alerts if export jobs fail for multiple consecutive days. Review regularly: Periodic access reviews help identify unused API keys, suspicious patterns, and compliance gaps.
For questions about audit logging setup or S3 export configuration, contact [email protected].