Audit Logs
How to configure VaultPDF's audit system. Covers all three audit tiers -- basic (SharePoint JSONL), blob (Azure Blob AppendBlob), and enterprise (Service Bus + Audit Worker) -- including the AuditEvent schema, file naming, and setup steps for each tier.
Overview
VaultPDF writes two distinct records for every render request:
| Record | Where | Purpose |
|---|---|---|
| JSONL audit trail | SharePoint Audit Logs library or Azure Blob | Comprehensive lifecycle log for compliance and troubleshooting |
| VaultPDF_Activity item | SharePoint list | Human-readable render history browsable directly in SharePoint |
This page covers the JSONL audit trail. The Activity list is written automatically based on your SharePoint configuration -- no separate setup is required.
Choose an Audit Tier
Select your audit tier by setting auditLogs in storage-config.json. If you omit this setting, VaultPDF defaults to basic.
| Tier | Config value | Recommended for |
|---|---|---|
| Basic | 'basic' | Low-to-medium volume deployments already using SharePoint for output |
| Blob | 'blob' | Medium-to-high volume deployments routing other outputs to Azure Blob |
| Enterprise | 'enterprise' | High volume, compliance requirements, or guaranteed-delivery scenarios |
All three tiers produce the same event schema and the same JSONL file format. The difference is where the files land and how reliably events are delivered under load.
Tier comparison
| Feature | Basic | Blob | Enterprise |
|---|---|---|---|
| Infrastructure required | SharePoint only | Azure Blob Storage | Azure Blob + Service Bus |
| Concurrent render safety | Partial (best-effort) | Safe | Fully serialised |
| Guaranteed delivery | No | No | Yes (queue + dead-letter) |
| Dead-letter monitoring | No | No | Yes |
| Suitable for high volume | No | Yes | Yes |
| Additional cost | None | Low (storage) | Low (storage + Service Bus) |
Basic Tier (auditLogs: 'basic')
Audit events are appended to a JSONL file in the SharePoint Audit Logs library. No additional Azure infrastructure is required.
When to use
- Your deployment already routes all output to SharePoint
- Render volume is moderate (under ~50,000 events per month)
- You do not have strict compliance requirements for zero event loss
Setup
- Ensure the Audit Logs library exists in your SharePoint site and its drive ID is set in
sp-config.json:
{
"driveIds": {
"Audit Logs": "<drive-id>"
},
"features": {
"auditLogs": true
}
}- In
storage-config.json, either omitauditLogs(basic is the default) or set it explicitly:
{
"libraryRoutes": {
"auditLogs": "basic"
}
}Blob Tier (auditLogs: 'blob')
Audit events are written directly to an Azure Blob AppendBlob. This gives lower latency and safe concurrent writes from multiple render instances.
When to use
- You are already routing generated documents to Azure Blob
- You want reliable audit writes without the overhead of a Service Bus queue
- You do not need guaranteed delivery or dead-letter monitoring
Setup
- Create an
audit-logscontainer in your Azure Storage account. - Ensure the VaultPDF app's Managed Identity has Storage Blob Data Contributor on the storage account.
- Update
storage-config.json:
{
"libraryRoutes": {
"auditLogs": "blob"
},
"accountName": "your-storage-account",
"blobContainers": {
"auditLogs": "audit-logs"
}
}Enterprise Tier (auditLogs: 'enterprise')
Audit events are enqueued to an Azure Service Bus queue. A separate Audit Worker dequeues them and writes to Azure Blob. This guarantees delivery -- events that cannot be written after repeated attempts are moved to a dead-letter queue for manual review rather than silently dropped.
When to use
- High or unpredictable render volume
- Compliance requirements that cannot tolerate any audit event loss
- You need alerting on dead-lettered audit events
Azure resources to provision
- Create a Standard or Premium Azure Service Bus namespace.
- Create a queue with these settings:
| Setting | Recommended value |
|---|---|
| Queue name | audit-events |
| Max delivery count | 10 |
| Dead-lettering on message expiry | Enabled |
| Message TTL | P7D (7 days) |
| Lock duration | PT1M (1 minute) |
| Sessions | Disabled |
-
Create two Shared Access Policies on the queue:
render-send-- Send rights only (used by the VaultPDF render service)worker-listen-- Listen rights only (used by the Audit Worker service)
-
Create an
audit-logscontainer in your Azure Storage account. -
Ensure the Audit Worker's Managed Identity has Storage Blob Data Contributor on the storage account.
Configuration
Update storage-config.json on the render service:
{
"libraryRoutes": {
"auditLogs": "enterprise"
},
"accountName": "your-storage-account",
"blobContainers": {
"auditLogs": "audit-logs"
}
}Set the following app settings on the render service:
| Setting | Value |
|---|---|
AUDIT_SERVICEBUS_CONNECTION_STRING | Connection string for the render-send policy (use a Key Vault reference) |
Set the following app settings on the Audit Worker service:
| Setting | Value |
|---|---|
AUDIT_SERVICEBUS_CONNECTION | Connection string for the worker-listen policy (use a Key Vault reference) |
AUDIT_SERVICEBUS_QUEUE_NAME | audit-events (or your custom queue name) |
AUDIT_BLOB_ACCOUNT_NAME | Your Azure Storage account name |
AUDIT_BLOB_CONTAINER | audit-logs (or your custom container name) |
AuditEvent Schema
All three tiers write events in the same format. Each line in a JSONL file is one event with no trailing comma.
Core fields (always present)
| Field | Type | Description |
|---|---|---|
correlationId | string | Unique ID for the render request |
action | string | Lifecycle step (see table below) |
status | string | 'Success', 'Failure', or 'Warning' |
timestamp | string | ISO 8601 timestamp |
Additional fields
| Field | Type | Description |
|---|---|---|
tenantId | string | null | SharePoint tenant identifier |
userId | string | null | Entra ID of the user who triggered the render |
templatePath | string | null | Relative path of the template used |
payloadPath | string | null | Relative path of the payload document |
outputPath | string | null | Destination path of the generated PDF |
blobUrl | string | null | Azure Blob URL of the output (when routed to blob) |
blobSasUrl | string | null | Time-limited SAS URL (browser-accessible) |
fileSizeBytes | number | null | Size of the generated PDF in bytes |
durationMs | number | null | Render duration in milliseconds |
errorMessage | string | null | Error detail on status: 'Failure' |
templateVersion | string | null | Content hash or version label of the template |
extra | object | null | Arbitrary extension fields from the render payload |
Action values
| Value | Description |
|---|---|
'PayloadReceived' | Render request accepted and validated |
'PDFGenerated' | PDF created successfully |
'PDFGenerationFailed' | PDF generation failed |
'UploadStarted' | Upload to storage provider initiated |
'UploadCompleted' | Upload finished successfully |
'UploadFailed' | Upload failed |
'AuditWriteStarted' | Audit record write initiated |
'AuditWriteCompleted' | Audit record written and confirmed |
'AuditWriteFailed' | Audit record write failed |
'ActivityPosted' | VaultPDF_Activity item created or updated |
Example event
{
"correlationId": "BC-INV-2026-03-31",
"action": "UploadCompleted",
"status": "Success",
"timestamp": "2026-03-31T14:22:03.451Z",
"userId": "[email protected]",
"templatePath": "/Templates/Invoice.vpdf",
"payloadPath": "/Payloads/BC-INV-2026-03-31.json",
"outputPath": "Invoice/2026/03/BC-INV-2026-03-31_Invoice_2026-03-31.pdf",
"blobSasUrl": "https://vaultpdfstorage.blob.core.windows.net/generated-documents/Invoice/2026/03/...",
"fileSizeBytes": 84210,
"durationMs": 1203,
"errorMessage": null
}File Naming & Rotation
Audit files are scoped to calendar month and split into numbered parts when size thresholds are exceeded.
Naming pattern
audit-{YYYY}-{MM}-part{N}.jsonlExamples:
audit-2026-03-part1.jsonl
audit-2026-03-part2.jsonl
audit-2026-04-part1.jsonlRotation thresholds
A new part file is created when either threshold is exceeded:
| Threshold | Default | Override |
|---|---|---|
| File size | 50 MB | Set AUDIT_MAX_PART_SIZE_BYTES on the Audit Worker (enterprise) |
| Record count | Unlimited | Not configurable |
At each month boundary, part numbering resets to 1 regardless of the current file size.
Related Pages
- Storage Providers -- configure SharePoint and Azure Blob output routing
- System Architecture -- how VaultPDF fits into your tenant
Storage Providers
How to configure VaultPDF's storage system. Covers SharePoint setup, Azure Blob Storage setup, output routing via storage-config.json, required environment variables, and the response headers returned on each render.
Payload Structure
Complete reference for the top-level VaultPDF JSON payload. Covers templateId, metadata, theme, header, footer, layoutSchema, templateSettings, hierarchyRules, and all other recognized top-level keys.