---
description: This article outlines how to audit Formbox usage
---

# Audit logging in forms

## Overview

Audit Logging is central part for system observability - providing the ability to track and monitor system activity for security, compliance, and operational insights. Through audit logging, administrators can review actions performed within the system, identify potential issues, and ensure that operations comply with relevant regulations.

## Audit Logging in Aidbox

Aidbox supports Audit Logging and acts as Audit Record repository. Audit Logging disabled by default and should be enabled via configuration.

* [setup audit logging](https://www.health-samurai.io/docs/aidbox/tutorials/security-access-control-tutorials/how-to-configure-audit-log)

## Audit Logging in Formbox Module

The Formbox module is a critical component for capturing information. This module also supports Audit Logging to capture and review user interactions and system events related to form construction and usage. Audit Logging in Forms module will be enabled at the same time as in Aidbox.

### Logged Events

In addition to Aidbox's default events for CRUD operations on

* `Questionnaire`
* `QuestionnaireResponse`

Formbox module records additional ones

* `populate` - Logs what form was populated with data, including the patient related to response
* `populate-link` - Records a form name that was populated and the response saved as a result
* `generate-form-token` - Tracks token creation for anonimous access to response
* `generate-form-link` - Records link creation for anonimous access to response
* `update-response` - Tracks modifications made to existing responses,
* `amend-response` - Records response amendemnt, including the user amended the form
* `submit-response` - Captures details of form submissions, including the user submitting the form
* `assemble-form` - Logs whenever a complex form is assembled, including user and timestamp

### Events Customization

There are 2 customization options accessible for the user:

* `user-token` - JWT token, for logged-in user (not anonimous)
* `app-name` - application name in which forms are embedded

#### user-token

`user-token` - JWT token from external identity provider, which will be used for authorization in Formbox and AuditLogging.

> by default `anonimous user` is used when someone use links generated by `generate-link`/`populatelink` operations.

Example

```yaml
POST /fhir/Questionnaire/[id]/$populatelink
content-type: text/yaml
accept: text/yaml

resourceType: Parameters
parameter:
- name: subject
  valueReference:
    reference: Patient/pt-1
- name: app-name
  valueString: forms-app
```

For using user-token you should setup [TokenIntrospector](https://www.health-samurai.io/docs/aidbox/access-control/authentication/token-introspector) or [IdentityProvider](https://www.health-samurai.io/docs/aidbox/tutorials/security-access-control-tutorials/set-up-external-identity-provider) for validating this token.

User from token will be used in AuditEvent as

```yaml
agent:
  - who:
      type:
        coding:
          - system: "urn:system:aidbox"
            code: "external-user-id"
            display: "External User ID"
      identifier:
        system: iss
        value: sub
```

> `iss` - identity provider identifiers (Auth 2.0 / OpenID) `sub` - user identifier in provider (Auth 2.0 / OpenID)

#### app-name

Application name in which forms are embedded - this is usefull when someone wants to embed forms in several applications and want to identify application from which user filling the form

This is can be done via adding `app-name` parameter to `populate-link` / `generate-link` operations

Example

```yaml
POST /fhir/Questionnaire/[id]/$populatelink
content-type: text/yaml
accept: text/yaml

resourceType: Parameters
parameter:
- name: subject
  valueReference:
    reference: Patient/pt-1
- name: app-name
  valueString: forms-app
```
