A trustworthy record
When something goes wrong you need to know who did what, when, and from where. Audit logs are the record that supports investigation, compliance, and accountability. To be useful they must be complete and tamper resistant.
What to log
- Authentication events, both successes and failures.
- Authorization decisions, especially denials and privilege changes.
- Sensitive data access and configuration changes.
- Enough context to reconstruct events: actor, action, target, time, and source.
Protecting the logs
Audit logs are a target; attackers delete them to cover tracks. Ship logs to a separate append only store the application cannot rewrite, and consider integrity protection so tampering is detectable. Never log secrets themselves, only references.
Key idea
Audit logs record actor action target and time for security events, shipped to a tamper resistant append only store and never containing secrets.