An audit log is an undeniable record of who did what and when. Required for compliance, essential for incident response.
What to Log¶
- Authentication (login, logout, failed login)
- Authorization (access granted/denied)
- Data changes (CRUD on sensitive data)
- Configuration changes
- Admin actions
- API access
Format¶
{ “timestamp”: “2025-01-15T10:30:00Z”, “event”: “user.login”, “actor”: { “id”: “user-123”, “ip”: “1.2.3.4” }, “action”: “authentication”, “outcome”: “success”, “resource”: { “type”: “session”, “id”: “sess-456” }, “metadata”: { “mfa”: true, “method”: “totp” } }
Best Practices¶
- Immutable storage (append-only)
- Central aggregation (SIEM)
- Retention minimum 1 year
- Tamper detection (hash chain)
- Never log secrets
Key Takeaway¶
Log who, what, when, where from, and the outcome. Immutable storage, central aggregation, minimum 1 year retention.
securityauditloggingcompliance