Logging and Auditing
Overview of the logging and auditing mechanisms in Nomad Media — CloudTrail, CloudWatch, DynamoDB, and S3.
Nomad Media uses a variety of auditing and tracking mechanisms for monitoring usage and history:
- CloudTrail — AWS-level API command auditing
- CloudWatch — Lambda and API request logging
- DynamoDB — Transactional history records
- S3 — Asset versioning for change management
CloudTrail
CloudTrail is enabled by default and logs all AWS commands and infrastructure updates. It provides a complete audit trail of AWS API calls across the Nomad Media environment.
CloudWatch
CloudWatch is the primary auditing and tracking mechanism for Nomad Media runtime behavior. Each AWS Lambda has its own CloudWatch log group.
Primary logs are in the same AWS Region as the Nomad Media deployment. Some additional CloudWatch logs exist in us-east-1 as required by core deployment processes.
The most important log groups follow the naming patterns:
/aws/lambda/nomad-{name}-prc-{type}/aws/lambda/nomad-{name}-web-api-{type}-mainEntryPoint
Key Log Groups
| Log Group | Usage |
|---|---|
web-api-portal-mainEntryPoint | All Portal API requests — logins, attempted logins, and all database/resource updates made through the Portal API. |
web-api-admin-mainEntryPoint | All Admin API requests — logins, attempted logins, and all database/resource updates made through the Admin API. |
prc-ProcessImageFunction | Processor logs for all image analysis, including external AI API calls and image processing workflows. |
prc-LargeActionFunction and prc-ActionFunction | The two primary back-end worker logs. Contains all asset, content record, and third-party integration processing. This is the primary location for most operational logging data. |
prcAssetRegisterFunction | S3 event handler logs — new assets added, assets deleted, and S3 state changes (e.g., Glacier archiving). |
DynamoDB
Transactional data and the Asset Registry are stored in DynamoDB. The most important table for auditing purposes:
| Table | Description |
|---|---|
history | One record per asset or content record update (Add, Change, Delete). contentId references the record updated; lastModifiedUserId is the user who made the change; createdDate is when the change occurred. This data is also visible in the Admin UI under the History tab for each asset or content item. |
All DynamoDB tables also include lastModifiedUser and lastModified date/time fields on every record.
S3
S3 versioning is enabled by default across Nomad Media's asset storage. This allows retrieval of historical versions of assets for change management and recovery purposes.