eastbaycyber

Audit Log: Definition, How It Works, and Why It Matters

Glossary 7 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-16
Definition

An audit log is a chronological record of security-relevant events—typically capturing who performed an action, what changed, when it happened, and where it originated. Unlike general operational logs, audit logs are designed to support accountability, investigations, and compliance and are often protected to make tampering detectable.

An audit log is your security-focused record of who did what, when, and from where—and it’s one of the fastest ways to reconstruct a timeline during an incident or prove administrative activity for compliance. Unlike “normal” application logs, audit logs are built for accountability and are ideally tamper-evident so you can trust them as evidence.

How an audit log works

Audit logs exist to answer four questions reliably: who, did what, when, and from where—plus enough context to determine whether it was authorized and expected.

1) Event generation (the “source of truth”)

Audit events are generated by systems that control identity, access, and change:

  • Identity and access management (IAM): logins, MFA events, role assignments, API token creation.
  • Operating systems: privilege escalation, process creation, policy changes, user/group changes.
  • Applications: admin actions, permission changes, sensitive data access.
  • Databases: schema changes, privileged queries, authentication attempts.
  • Network/security tools: firewall rule changes, EDR policy updates.

The best audit logs are structured (JSON/key-value) and include stable identifiers: - user / principal (human or service account) - action (e.g., CreateUser, SetPolicy, sudo) - resource (object acted upon) - result (success/failure) - source_ip, user_agent, session_id - timestamp with timezone/UTC - request_id or correlation ID

2) Collection and centralization

Audit logs are only as useful as your ability to retrieve them during an incident. Common approaches:

  • Local storage + forwarder: agents ship logs to a collector.
  • Syslog/forwarding: devices send audit events to a central log host.
  • Cloud-native export: provider audit streams sent to storage or a SIEM.

Practitioner take: avoid relying on “logs on the box.” An attacker who gains admin access can often delete or alter local logs. Centralization reduces that risk and improves searchability.

3) Integrity controls (tamper-evident design)

Audit logs frequently support or integrate with controls such as:

  • Append-only semantics: events are written, not edited.
  • Access control: limit who can read and who can manage retention/deletion.
  • Immutability / WORM: write-once-read-many retention to prevent modification.
  • Hashing/signing: per-entry hashes or signed batches to detect changes.
  • Separation of duties: admins who manage systems shouldn’t be able to erase the evidence trail.

A practical standard is to store audit logs in a system with: - strict IAM, - immutable retention policies, - and independent administrative control from the environments being logged.

4) Retention, search, and alerting

Audit logs serve both forensics and near-real-time detection:

  • Retention: set based on risk and requirements (often months to years). Ensure you can cover your realistic detection window (e.g., “we may not notice for 30–90 days”).
  • Search: index key fields (user, action, IP, resource, result).
  • Alerting: high-risk audit events should generate alerts (e.g., disabling MFA, adding admin roles, changing logging settings).

Technical Notes: What “good” audit log entries look like

Below is an example of a structured audit event format you might expect from modern systems:

{
  "timestamp": "2026-05-16T10:14:22Z",
  "event_type": "iam.audit",
  "actor": { "id": "alice@example.com", "type": "user" },
  "action": "AddRoleBinding",
  "resource": "project/acme-prod",
  "target": "role=Admin to user=bob@example.com",
  "result": "SUCCESS",
  "source_ip": "203.0.113.10",
  "user_agent": "Mozilla/5.0",
  "request_id": "b2b4c2e0-3b2d-4b91-8f9c-2a1f8c1d8a0f"
}

Minimum fields to insist on for auditability: - stable actor identity - precise action name - resource identifier - timestamp (UTC) - source context (IP/session/user-agent) - result (success/failure)

When you’ll encounter audit logs

You’ll run into audit logs whenever you need to prove activity, reconstruct a timeline, or meet governance requirements.

1) Incident response and threat hunting

Audit logs are pivotal for answering questions like: - Which account first performed privileged actions? - Were new keys/tokens created? - Did someone modify access policies or disable security controls? - What data was accessed and by whom?

Common “high-signal” audit events to prioritize: - privilege/role assignment changes - creation of new users, service accounts, or API tokens - changes to MFA settings - changes to logging/auditing configuration - deletion of resources (especially backups, snapshots, audit stores) - policy/firewall rule changes

If you’re mapping impact, it also helps to define the potential blast radius of a credential (what it can access, change, and destroy). See: what is the blast radius of a credential.

Technical Notes: Quick triage patterns (generic)

These are generic search patterns you can adapt to your SIEM/log platform:

(action IN ["CreateUser","AddUser","CreateAccessKey","CreateToken","AddRole","AttachPolicy"]
 OR message CONTAINS "added to Administrators"
 OR message CONTAINS "sudo:"
 OR event_type CONTAINS "policy_change")
AND result = "SUCCESS"

If you suspect log tampering, search for: - gaps in timestamps, - sudden drop in volume from a source, - “audit disabled”/“logging stopped” events, - retention policy changes.

2) Compliance and audits (the governance kind)

Many frameworks expect you to demonstrate: - administrative actions are logged, - logs are protected from alteration, - retention meets policy, - and access to logs is restricted and reviewed.

Even when a standard doesn’t explicitly say “audit log,” it typically requires: - traceability, - accountability, - and evidence of control effectiveness.

If you’re aligning your logging program to a formal control framework, ISO’s requirements commonly drive audit-log scope, access control, and retention. Related: what is iso 27001.

3) Change management and accountability

Audit logs help distinguish: - approved changes vs. unauthorized changes, - human actions vs. automation, - and mistakes vs. malicious behavior.

They’re also crucial for answering business questions: - Who changed a firewall rule before an outage? - When was a sensitive configuration modified? - Which automation pipeline deployed the change?

4) Cloud and SaaS administration

In cloud/SaaS environments, audit logs are often the primary evidence source because you don’t control the underlying infrastructure. You’ll rely on them for: - admin console actions, - API calls, - permission changes, - sign-in and session events.

Practitioner tip: confirm your audit logs are actually enabled, exported, and retained. Many platforms provide audit logs by default, but export and retention may be optional—or limited unless configured.

Best practices to make audit logs useful (not just collected)

Centralize and protect admin accounts

Because audit logs often record privileged actions, the accounts that can access the logging platform (and the accounts being audited) deserve extra protection. At minimum: - require MFA, - enforce strong, unique passwords, - and restrict who can manage retention/deletion.

A password manager can help standardize strong credentials and reduce credential reuse across admin consoles. If you need one, 1Password is a common option: Try 1Password →.

Validate log integrity and access patterns

Treat audit logs like evidence: - export or forward logs out of the environment being audited, - enforce immutable retention where feasible, - review access to the logs themselves (who queried them, who changed alerts, who touched retention policies), - and test retrieval during tabletop exercises.

Related terms

Audit trail

The broader concept of an end-to-end record that links actions to outcomes (often spans multiple systems). An audit log is typically one component of an audit trail.

Event log

A general record of system/application events (errors, informational messages). Not all event logs are audit logs; audit logs focus on security-relevant accountability.

Security log

A subset of logs focused on security events. Audit logs are often security logs, but security logs can also include detections/alerts that aren’t “who changed what.”

SIEM (Security Information and Event Management)

A platform that aggregates logs (including audit logs), correlates events, and supports alerting and investigations.

Log integrity

Controls and methods (hashing, signing, immutability, access controls) used to ensure logs are trustworthy and tamper-evident.

Immutability / WORM

Storage properties that prevent modification or deletion for a defined retention period—valuable for audit logs treated as evidence.

Chain of custody

Procedures ensuring evidence (including logs) is collected and preserved in a way that maintains credibility for investigations or legal review.

Non-repudiation

A property that helps prevent an actor from plausibly denying an action—strong audit logs (with identity assurance and integrity controls) support this.

Telemetry

Broad data collection about system behavior (metrics, traces, logs). Audit logs are a specific telemetry type focused on accountability.

Last verified: 2026-05-16

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.