DEV Community: Kenzura Technologies The latest articles on DEV Community by Kenzura Technologies (@kenzura). https://dev.to/kenzura https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3890983%2F1c8c3d84-2735-46d3-a70e-23c30cdf0ac8.png DEV Community: Kenzura Technologies https://dev.to/kenzura en Why Application-Layer Audit Trails Fail (and How PostgreSQL Triggers Fix It) Kenzura Technologies Tue, 21 Apr 2026 16:22:31 +0000 https://dev.to/kenzura/why-application-layer-audit-trails-fail-and-how-postgresql-triggers-fix-it-3h4h https://dev.to/kenzura/why-application-layer-audit-trails-fail-and-how-postgresql-triggers-fix-it-3h4h <p>Most fintech teams build their audit trails in the application layer.</p> <p>An ORM plugin here. A middleware hook there. A background job that "eventually" writes to an audit table. Then — six months into production — an auditor asks a question that breaks everything.</p> <p><em>"Can you prove this record was never modified between 2:14am and 6:30am on March 12th?"</em></p> <p>And suddenly the team is debugging race conditions in their message queue at 11pm on a Friday.</p> <p>In this post, I'll show you an alternative that moves the audit responsibility down to where it belongs: the database engine itself.</p> <h2> The Problem with Application-Layer Audit </h2> <p>Application-layer audit trails look like this in typical Node.js/Java/Python stacks:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">updateLoanStatus</span><span class="p">(</span><span class="nx">loanId</span><span class="p">,</span> <span class="nx">newStatus</span><span class="p">,</span> <span class="nx">userId</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">oldLoan</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">loans</span><span class="p">.</span><span class="nf">findById</span><span class="p">(</span><span class="nx">loanId</span><span class="p">);</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">loans</span><span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="nx">loanId</span><span class="p">,</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="nx">newStatus</span> <span class="p">});</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">auditLog</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">table</span><span class="p">:</span> <span class="dl">'</span><span class="s1">loans</span><span class="dl">'</span><span class="p">,</span> <span class="na">recordId</span><span class="p">:</span> <span class="nx">loanId</span><span class="p">,</span> <span class="na">oldValues</span><span class="p">:</span> <span class="nx">oldLoan</span><span class="p">,</span> <span class="na">newValues</span><span class="p">:</span> <span class="p">{</span> <span class="p">...</span><span class="nx">oldLoan</span><span class="p">,</span> <span class="na">status</span><span class="p">:</span> <span class="nx">newStatus</span> <span class="p">},</span> <span class="na">changedBy</span><span class="p">:</span> <span class="nx">userId</span><span class="p">,</span> <span class="na">changedAt</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">()</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>This pattern has four failure modes that regulatory audits will find:</p> <ol> <li><p><strong>A developer bypasses the service layer.</strong> They write a direct <code>UPDATE loans SET status = 'APPROVED' WHERE id = 123</code> via pgAdmin or a migration script. The audit table has no record of it.</p></li> <li><p><strong>The audit write fails silently.</strong> The main update succeeds, the audit write times out, and nobody notices until an auditor pulls a sample.</p></li> <li><p><strong>Transaction boundaries get sloppy.</strong> The audit write happens outside the transaction, so a rollback leaves orphaned or missing audit records.</p></li> <li><p><strong>Eventually-consistent audit queues introduce race conditions.</strong> Audit entries arrive out of order, making it impossible to reconstruct the state at a specific point in time.</p></li> </ol> <p>None of these are theoretical. Every one of them has shown up in real banking audits.</p> <h2> The Fix: Database Triggers </h2> <p>PostgreSQL triggers fire at the database engine level. If a row changes — regardless of <em>how</em> it changed — the trigger fires. There is no way to bypass it short of dropping the trigger itself.</p> <p>Here's a generic audit trigger function that works on any table:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">SCHEMA</span> <span class="n">IF</span> <span class="k">NOT</span> <span class="k">EXISTS</span> <span class="n">audit</span><span class="p">;</span> <span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">audit</span><span class="p">.</span><span class="n">change_log</span> <span class="p">(</span> <span class="n">log_id</span> <span class="n">BIGSERIAL</span> <span class="k">PRIMARY</span> <span class="k">KEY</span><span class="p">,</span> <span class="k">table_name</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">100</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">record_id</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="k">operation</span> <span class="nb">CHAR</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">CHECK</span> <span class="p">(</span><span class="k">operation</span> <span class="k">IN</span> <span class="p">(</span><span class="s1">'I'</span><span class="p">,</span><span class="s1">'U'</span><span class="p">,</span><span class="s1">'D'</span><span class="p">)),</span> <span class="n">old_values</span> <span class="n">JSONB</span><span class="p">,</span> <span class="n">new_values</span> <span class="n">JSONB</span><span class="p">,</span> <span class="n">changed_by</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">DEFAULT</span> <span class="k">current_user</span><span class="p">,</span> <span class="n">changed_at</span> <span class="n">TIMESTAMPTZ</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">DEFAULT</span> <span class="n">NOW</span><span class="p">()</span> <span class="p">);</span> <span class="k">CREATE</span> <span class="k">OR</span> <span class="k">REPLACE</span> <span class="k">FUNCTION</span> <span class="n">audit</span><span class="p">.</span><span class="n">fn_audit_trigger</span><span class="p">()</span> <span class="k">RETURNS</span> <span class="k">TRIGGER</span> <span class="k">LANGUAGE</span> <span class="n">plpgsql</span> <span class="k">SECURITY</span> <span class="k">DEFINER</span> <span class="k">AS</span> <span class="err">$$</span> <span class="k">DECLARE</span> <span class="n">v_old</span> <span class="n">JSONB</span><span class="p">;</span> <span class="n">v_new</span> <span class="n">JSONB</span><span class="p">;</span> <span class="n">v_op</span> <span class="nb">CHAR</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="k">BEGIN</span> <span class="n">IF</span> <span class="n">TG_OP</span> <span class="o">=</span> <span class="s1">'INSERT'</span> <span class="k">THEN</span> <span class="n">v_op</span> <span class="p">:</span><span class="o">=</span> <span class="s1">'I'</span><span class="p">;</span> <span class="n">v_new</span> <span class="p">:</span><span class="o">=</span> <span class="n">to_jsonb</span><span class="p">(</span><span class="k">NEW</span><span class="p">);</span> <span class="n">ELSIF</span> <span class="n">TG_OP</span> <span class="o">=</span> <span class="s1">'UPDATE'</span> <span class="k">THEN</span> <span class="n">v_op</span> <span class="p">:</span><span class="o">=</span> <span class="s1">'U'</span><span class="p">;</span> <span class="n">v_old</span> <span class="p">:</span><span class="o">=</span> <span class="n">to_jsonb</span><span class="p">(</span><span class="k">OLD</span><span class="p">);</span> <span class="n">v_new</span> <span class="p">:</span><span class="o">=</span> <span class="n">to_jsonb</span><span class="p">(</span><span class="k">NEW</span><span class="p">);</span> <span class="k">ELSE</span> <span class="n">v_op</span> <span class="p">:</span><span class="o">=</span> <span class="s1">'D'</span><span class="p">;</span> <span class="n">v_old</span> <span class="p">:</span><span class="o">=</span> <span class="n">to_jsonb</span><span class="p">(</span><span class="k">OLD</span><span class="p">);</span> <span class="k">END</span> <span class="n">IF</span><span class="p">;</span> <span class="k">INSERT</span> <span class="k">INTO</span> <span class="n">audit</span><span class="p">.</span><span class="n">change_log</span><span class="p">(</span><span class="k">table_name</span><span class="p">,</span> <span class="n">record_id</span><span class="p">,</span> <span class="k">operation</span><span class="p">,</span> <span class="n">old_values</span><span class="p">,</span> <span class="n">new_values</span><span class="p">)</span> <span class="k">VALUES</span> <span class="p">(</span><span class="n">TG_TABLE_SCHEMA</span> <span class="o">||</span> <span class="s1">'.'</span> <span class="o">||</span> <span class="n">TG_TABLE_NAME</span><span class="p">,</span> <span class="n">COALESCE</span><span class="p">(</span><span class="n">v_new</span><span class="o">-&gt;&gt;</span><span class="s1">'id'</span><span class="p">,</span> <span class="n">v_old</span><span class="o">-&gt;&gt;</span><span class="s1">'id'</span><span class="p">,</span> <span class="s1">'unknown'</span><span class="p">),</span> <span class="n">v_op</span><span class="p">,</span> <span class="n">v_old</span><span class="p">,</span> <span class="n">v_new</span><span class="p">);</span> <span class="k">RETURN</span> <span class="n">COALESCE</span><span class="p">(</span><span class="k">NEW</span><span class="p">,</span> <span class="k">OLD</span><span class="p">);</span> <span class="k">END</span><span class="p">;</span> <span class="err">$$</span><span class="p">;</span> </code></pre> </div> <p>Attach it to any table you want audited:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">TRIGGER</span> <span class="n">trg_loan_audit</span> <span class="k">AFTER</span> <span class="k">INSERT</span> <span class="k">OR</span> <span class="k">UPDATE</span> <span class="k">OR</span> <span class="k">DELETE</span> <span class="k">ON</span> <span class="n">loan_account</span> <span class="k">FOR</span> <span class="k">EACH</span> <span class="k">ROW</span> <span class="k">EXECUTE</span> <span class="k">FUNCTION</span> <span class="n">audit</span><span class="p">.</span><span class="n">fn_audit_trigger</span><span class="p">();</span> </code></pre> </div> <p>Now — every insert, update, and delete on <code>loan_account</code> captures a full before/after JSONB snapshot with the timestamp, operation type, and the database user who made the change.</p> <h2> Querying the Audit Log </h2> <p>Once data starts flowing, you can answer regulatory questions in a single SQL query:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- All changes to a specific loan in the last 30 days</span> <span class="k">SELECT</span> <span class="k">operation</span><span class="p">,</span> <span class="n">changed_by</span><span class="p">,</span> <span class="n">changed_at</span><span class="p">,</span> <span class="n">old_values</span><span class="o">-&gt;&gt;</span><span class="s1">'status'</span> <span class="k">AS</span> <span class="n">old_status</span><span class="p">,</span> <span class="n">new_values</span><span class="o">-&gt;&gt;</span><span class="s1">'status'</span> <span class="k">AS</span> <span class="n">new_status</span> <span class="k">FROM</span> <span class="n">audit</span><span class="p">.</span><span class="n">change_log</span> <span class="k">WHERE</span> <span class="k">table_name</span> <span class="o">=</span> <span class="s1">'public.loan_account'</span> <span class="k">AND</span> <span class="n">record_id</span> <span class="o">=</span> <span class="s1">'loan-uuid-here'</span> <span class="k">AND</span> <span class="n">changed_at</span> <span class="o">&gt;=</span> <span class="n">NOW</span><span class="p">()</span> <span class="o">-</span> <span class="n">INTERVAL</span> <span class="s1">'30 days'</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">changed_at</span><span class="p">;</span> <span class="c1">-- Compliance report: who changed what and when</span> <span class="k">SELECT</span> <span class="n">changed_by</span><span class="p">,</span> <span class="k">table_name</span><span class="p">,</span> <span class="k">COUNT</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">AS</span> <span class="n">change_count</span><span class="p">,</span> <span class="k">MIN</span><span class="p">(</span><span class="n">changed_at</span><span class="p">)</span> <span class="k">AS</span> <span class="n">first_change</span><span class="p">,</span> <span class="k">MAX</span><span class="p">(</span><span class="n">changed_at</span><span class="p">)</span> <span class="k">AS</span> <span class="n">last_change</span> <span class="k">FROM</span> <span class="n">audit</span><span class="p">.</span><span class="n">change_log</span> <span class="k">WHERE</span> <span class="n">changed_at</span> <span class="o">&gt;=</span> <span class="n">NOW</span><span class="p">()</span> <span class="o">-</span> <span class="n">INTERVAL</span> <span class="s1">'7 days'</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="n">changed_by</span><span class="p">,</span> <span class="k">table_name</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">last_change</span> <span class="k">DESC</span><span class="p">;</span> </code></pre> </div> <h2> Why JSONB Matters </h2> <p>Storing old and new values as JSONB gives you three advantages:</p> <ol> <li> <strong>Schema evolution is automatic.</strong> Add a column to <code>loan_account</code> tomorrow, and the trigger captures it without any code changes.</li> <li> <strong>Full snapshots.</strong> You know exactly what the row looked like at every point in time, not just which columns changed.</li> <li> <strong>Queryable diffs.</strong> Use <code>old_values-&gt;&gt;'field_name'</code> and <code>new_values-&gt;&gt;'field_name'</code> to extract specific changes without parsing.</li> </ol> <h2> Performance Notes </h2> <p>Three things to watch:</p> <ol> <li> <strong>Audit table growth.</strong> A high-traffic <code>transaction</code> table can generate millions of audit rows per day. Consider monthly partitioning on <code>changed_at</code>.</li> <li> <strong>JSONB storage cost.</strong> Full row snapshots double your storage. For huge tables, consider storing only changed columns (a more complex trigger but saves space).</li> <li> <strong>Trigger overhead.</strong> ~5-15% write performance overhead. Worth it for compliance-critical tables, not worth it for high-frequency logging tables.</li> </ol> <h2> When NOT to Use This </h2> <p>Database triggers are wrong for:</p> <ul> <li>Business logic that should be visible in code reviews</li> <li>Notifications or integrations (use CDC/Debezium)</li> <li>Validation (constraints and checks belong in the schema)</li> </ul> <p>They're right for <strong>one job</strong>: capturing mutations reliably, where "reliably" means "the database guarantees it."</p> <h2> The Bigger Picture </h2> <p>This pattern is one piece of a larger architecture for regulated systems. In banking specifically, audit triggers combine with Row-Level Security (for multi-country data isolation) and BIAN-aligned schemas (for standardised naming) to produce a database that can pass MAS, BNM, or NBC technology audits without six months of remediation work.</p> <p>I build reference schemas for banking engineers at <a href="https://kenzura.com" rel="noopener noreferrer">Kenzura Technologies</a> — the Loan Origination System schema includes these audit triggers, RLS policies, and a full BIAN service domain mapping.</p> <p><em>What audit patterns have worked or failed for your team? I'd especially love to hear from anyone dealing with MAS TRM or BNM RMiT requirements.</em></p> postgres database fintech webdev