← Lessons

quiz vs the machine

Platinum1750

System Design

The Audit Log for Access

Recording who did what so access decisions can be reviewed and trusted.

5 min read · advanced · beat Platinum to climb

What an audit log records

An audit log is an append only record of security relevant events: who took which action on what resource, when, and whether it was allowed. It is the evidence trail for investigations, compliance, and detecting abuse.

It differs from ordinary application logs because it must be trustworthy and tamper evident, not just informative.

Fields that matter

  • The actor, meaning the user or service that acted.
  • The action and the resource it targeted.
  • The outcome, permit or deny, and a timestamp.
  • The tenant and request context for correlation.

Properties to enforce

  • Append only. Events are never edited or deleted in place.
  • Tamper evident. Chaining or signing entries reveals any alteration.
  • Complete. Both allowed and denied attempts are recorded, since denials reveal probing.

Operating it

Because the volume is high, audit logs are usually streamed to a separate durable store with retention rules, kept apart from systems the same operators can modify, so the log can be trusted during an incident.

Key idea

An access audit log is an append only tamper evident record of actor action resource and outcome so access decisions can be reviewed and trusted later.

Check yourself

Answer to earn rating on the learn ladder.

1. How does an audit log differ from an ordinary application log?

2. Why record denied access attempts and not only allowed ones?

3. Why keep audit logs in a store separate from the operators who can modify systems?