Most platforms ship technical logs and call it an audit trail
Most commerce platforms treat audit as a side effect. They write activity to application log files and leave your security team to reconstruct what happened, often by piping everything into a SIEM (the system that aggregates and searches those logs). Others push audit off as a third-party integration the customer has to run. The output in both cases is a stream of technical logs, which is not the same thing as audit evidence.
Audit evidence is structured. Actor, entity, operation, timestamp, payload. Sensitive fields redacted. It is queryable by your compliance officer, retainable for the window your regulator requires, and exportable when an auditor asks.
Vendure Platform produces that evidence as a first-class capability.
One logging surface, six capabilities
The audit-trail plugin is built around configurable sources, a single sink interface, and pluggable retention and export strategies.
Entity change tracking
Creates, updates, and deletes for any Vendure entity are captured by the EventBusLogSourceStrategy via VendureEntityEvent. Every entry records the actor, the operation, the subject (entity name), the reference ID, and the redacted payload. Same machinery applies to your custom entities, with no carve-out.
Login events, success and failure
Admin login successes and failures are picked up by the event-bus source. The actor identity comes from SSO or local auth equally. Add IP address, user agent, or any other request metadata via addMetadata functions on the plugin options.
Optional read-access tracking
Read logging is opt-in via readAccessAuditedOperations. Enable it on the entities your regime requires (customer, order, administrator, asset, and 16 other core entities are pre-mapped). Useful for HIPAA, GDPR data-subject access logs, and SOX read-trail requirements. Off by default because reads typically outnumber writes ten to one and the noise is unnecessary unless you need it.
Retention and scheduled exports
TimeBasedRetentionStrategy purges entries older than a configurable window (default 90 days) on a daily schedule you control. Scheduled exports run through AuditLogExportStrategy; the bundled JsonFileExportStrategy writes JSON to disk, and you can implement the interface to target object storage, SFTP, or whatever archive your compliance pipeline expects. Schedule exports daily, weekly, or disable scheduled exports explicitly.
Dashboard browse, filter, export
Compliance officers do not need DBA access to read the audit trail. The dashboard ships an Audit Log page under System with filters by subject, operation, actor, and date range, a diff viewer for updates, and CSV or JSON export of the current view. An "Audit Log" action also appears on 19 entity detail pages for inline filtered access.
Audit entries land where your compliance regime requires
The default DatabaseLogSink persists entries to your Vendure database, queryable through the auditLogConnection cursor-paginated query. If your compliance regime needs entries to land somewhere else at write time, like write-once object storage with object lock, an append-only log service, or your SIEM, implement the AuditLogSink interface and configure it per environment. Tests can run against an in-memory sink while production writes straight to your regulated archive.
One system, from event to evidence
The capture, storage, retention, export and review layers ship as one integrated system inside Platform, not a stack of plugins you wire together. The same request context flows through every layer, so an entry written at capture is the same entry an auditor reviews months later in the dashboard.
You configure the parts that matter for your regime and leave the rest on sensible defaults. One pipeline, end-to-end, with control where you need it.
Who read which record, when
Admin activity + login events
Data-subject access trail
Three regimes, three configurations
The plugin is the same in each scenario. The configuration changes based on what your regime asks for.
Custom entities and sensitive-field redaction
The event-bus source listens to VendureEntityEvent, which fires for any entity that participates in the Vendure entity lifecycle, including custom ones your plugins define. There is no "audit your custom code yourself" carve-out.
Sensitive fields are redacted before any entry is written. sanitizeSensitiveData covers passwords, tokens, secrets, API keys, and authorisation headers by default. Extend the list via sensitiveFieldPatterns for domain-specific field names. Redaction applies in both sources.
Trusted by complex B2B commerce and enterprise retail.
What compliance, security, and engineering teams ask about audit
The questions every audit evaluation asks before signing.
