feat(audit): endpoints for generic audit log querying

[andrewazores]

Welcome to Cryostat! 👋

Before contributing, make sure you have:

• Read the contributing guidelines
• Linked a relevant issue which this PR resolves
• Linked any other relevant issues, PR's, or documentation, if any
• Resolved all conflicts, if any
• Rebased your branch PR on top of the latest upstream main branch
• Attached at least one of the following labels to the PR: [chore, ci, docs, feat, fix, test]
• Signed all commits using a GPG signature

To recreate commits with GPG signature git fetch upstream && git rebase --force --gpg-sign upstream/main

---

Fixes #1299

Description of the change:

Adds generic audit log querying endpoints: one to query for audit revisions within a timeframe, a second to get details about what was changed by a given revision, and a third to produce a combined report of revisions and what they did within a timeframe.

The first and second endpoint are lighter-weight operations and used to power the cryostatio/cryostat-web#2156 Audit Log table UI. This is primarily to allow the user to preview what data is in the audit logs for a given period, so that they can then download the full report (which may take some time to retrieve) for a full offline audit analysis.

How to manually test:

1. Check out PR and build
2. Check out linked -web PR
3. ./smoketest.bash -O -t quarkus-cryostat-agent to run backend
4. yarn start:dev in -web repo to run frontend
5. Once everything is up and running, click around the UI to create/stop/start/delete active recordings, create/enable/disabled automated rules, create/delete credentials, etc.
6. In UI settings, set Advanced > Feature Level to Beta if not already set
7. Go to Security > Audit Log, leave the default timeframe selection and click the query button
8. Review the table of results, then click the download button and ensure that the resulting JSON download looks like it matches
9. Change the timeframe of query and repeat test

[andrewazores]

/build_test

[github-actions]

Workflow started at 3/18/2026, 4:36:27 PM. View Actions Run.

[github-actions]

No GraphQL schema changes detected.

[github-actions]

No OpenAPI schema changes detected.

[github-actions]

No WebSocket notifications schema changes detected.

[github-actions]

CI build: Integration tests pass ✅
https://github.com/cryostatio/cryostat/actions/runs/23265815100

[github-actions]

CI build: Unit tests pass ✅
https://github.com/cryostatio/cryostat/actions/runs/23265815100

[jtolentino1]

LGTM. Tested with creating/stopping/deleting/starting active recordings and same for automated rules. Was able to see the events under audit logs within the timeframe. Was able to also download the JSON and it matches what the audit logs says. Also changed the timeframe after running more events and was able to only see the new ones as expected.

Just need a rebase.

[andrewazores]

/build_test

[github-actions]

Workflow started at 3/27/2026, 11:10:36 AM. View Actions Run.

[github-actions]

No GraphQL schema changes detected.

[github-actions]

No OpenAPI schema changes detected.

[github-actions]

No WebSocket notifications schema changes detected.

[github-actions]

CI build: Integration tests pass ✅
https://github.com/cryostatio/cryostat/actions/runs/23653151269

[github-actions]

CI build: Unit tests pass ✅
https://github.com/cryostatio/cryostat/actions/runs/23653151269

[andrewazores]

/build_test

[github-actions]

Workflow started at 3/31/2026, 3:07:11 PM. View Actions Run.

[github-actions]

No OpenAPI schema changes detected.

[github-actions]

No GraphQL schema changes detected.

[github-actions]

No WebSocket notifications schema changes detected.

[github-actions]

CI build: Integration tests pass ✅
https://github.com/cryostatio/cryostat/actions/runs/23814721684

[github-actions]

CI build: Unit tests pass ✅
https://github.com/cryostatio/cryostat/actions/runs/23814721684

[jtolentino1]

Tested again, everything worked great up until I found a bug specifically with creating / removing an automated rule. Not sure if it's intended but worth taking a look.

How to recreate:

1. create an automated rule with the match expression as true
2. set target template to ALL
3. now delete the create automated rule with clean checked
4. now check in audit logs, there will be an errant log (404 error showing in toast notification as well) in between the creation and deletion logs as seen below

[andrewazores]

Hmm. That's definitely not intended. I don't see anything obvious (stack trace etc) in the logs, but querying the audit logs for deletions is a bit different than querying for still-live entities, so I've probably got something wrong there. I'll spend a bit of time trying to chase this down.

[andrewazores]

/build_test

[github-actions]

Workflow started at 4/1/2026, 10:17:06 AM. View Actions Run.

[github-actions]

No GraphQL schema changes detected.

[github-actions]

No WebSocket notifications schema changes detected.

[github-actions]

No OpenAPI schema changes detected.

[github-actions]

CI build: Integration tests pass ✅
https://github.com/cryostatio/cryostat/actions/runs/23853261975

[github-actions]

CI build: Unit tests pass ✅
https://github.com/cryostatio/cryostat/actions/runs/23853261975

[andrewazores]

@jtolentino1 should be fixed now. Deletion entries in the audit log should now display properly instead of producing a 404, although the revision is scant on details - it will just show you the revision ID, the deletion event type, and the ID of the entity that was deleted (no other fields ex. rule name, description).

[jtolentino1]

Tested with new patch, bug is gone. LGTM