Audit Logging and Journaling in App Engine: Building Immutable Transaction Logs on Datastore

2020-03-10 22:34:17+00:00

For security compliance, enterprise platforms must record every data modification. While standard application logs are helpful, they are volatile and hard to query. An Audit Journal writes structured, append-only records directly to a database, ensuring that updates can be audited later.

Using Cloud Datastore, we can model transaction logs that document user actions, previous values, and new changes systematically.

1. Structuring the Journal Model

A journal record must be append-only. We define a Datastore model containing transaction metadata and serialized changes:

# Audit Journal Model in Python NDB
from google.cloud import ndb

class AuditJournal(ndb.Model):
    user_uid = ndb.IntegerProperty(required=True)
    action = ndb.StringProperty(required=True)
    timestamp = ndb.DateTimeProperty(auto_now_add=True)
    entity_kind = ndb.StringProperty(required=True)
    entity_key = ndb.StringProperty(required=True)
    # Store changes as JSON text
    raw_changes = ndb.TextProperty(indexed=False)

2. Guaranteeing Immutability

We restrict write permissions at the application level: the system code only exposes INSERT operations for the journal table, preventing any update or delete requests, securing history logs.