Modern hospitals produce a continuous stream of database events: clinicians authenticate to the electronic health record (EHR), open patient charts, place orders, modify medication lists, and interact with networked devices that themselves emit telemetry. Each event is recorded in some operational log, but the logs are scattered across systems, schemas, and access-control regimes, and the security and quality teams that have to interpret them rarely see a unified view. This article presents an end-to-end framework for anomaly detection over hospital event logs and the entity graphs derived from them. The framework treats logs as a first-class analytical asset rather than a forensic afterthought: it specifies an event-log fact table and a small set of dimension tables that make access-pattern questions tractable, ingests heterogeneous sources (relational EHR audit logs, order-entry streams, device telemetry, identity directories, patient registries) through versioned adapters, and combines an event-sequence model with a user-patient bipartite graph model in an unsupervised fusion layer. The fused scores are surfaced to auditors through a ticket-driven UI whose outcome log feeds back into model retraining. On a one-year retrospective benchmark from three medium-sized hospitals containing 184 million events, the framework achieves an AUC of 0.904, improves precision at the top-100 audit queue from 0.13 (a strong rule-based baseline) to 0.58, and reduces the false-positive cost per detected incident by 64%. The framework is released with the schema, the data pipeline, an ethics-aware release protocol, and a reproducible query interface.