Security Audit Logging
Systematic recording of security-relevant events to detect, investigate, and respond to security incidents.
Description
Security audit logging is the practice of systematically recording security-relevant events within an application and infrastructure to create an immutable trail of actions. Unlike application logging for debugging, security audit logs specifically capture who did what, when, from where, and whether it succeeded or failed. These logs are essential for detecting active attacks, investigating incidents after the fact, meeting compliance requirements, and understanding normal vs. anomalous behavior.
Critical events to log include: authentication attempts (successful and failed), authorization failures, privilege escalation, administrative actions, data access and modifications (especially to sensitive records), API key creation and usage, configuration changes, input validation failures (potential attack probes), and session lifecycle events. Each log entry should contain a timestamp, actor identity, source IP, action performed, target resource, outcome (success/failure), and relevant context without including sensitive data like passwords or tokens.
Audit logs must be stored securely and separately from application logs to prevent tampering by compromised applications. They should be shipped to a centralized, append-only logging system (like AWS CloudTrail, a SIEM solution, or an immutable log store) with integrity verification. Retention policies should meet both operational needs and compliance requirements (PCI DSS requires 1 year, HIPAA requires 6 years). Automated alerting on suspicious patterns (multiple failed logins, unusual access times, privilege escalation) transforms passive logs into active security monitoring.
Prompt Snippet
Implement structured audit logging for all security-relevant events: authentication (login/logout/failed attempts), authorization denials, data access to PII/sensitive resources, admin actions, and API key operations. Use a structured JSON format with fields: timestamp, actor_id, actor_ip, action, resource, outcome, and metadata. Ship logs to an append-only store (AWS CloudTrail, Datadog, or ELK with immutable indices) separate from application logs. Configure real-time alerts in your SIEM for patterns: >5 failed logins per account per 5 minutes, access from new geolocation, privilege escalation events. Never log passwords, tokens, or full credit card numbers -- mask sensitive fields using a logging middleware.
Tags
Related Terms
Intrusion Detection
Systems and techniques for detecting unauthorized access, attacks, and anomalous behavior in real time across applications and infrastructure.
OWASP Top 10
A standard awareness document listing the ten most critical web application security risks, maintained by the Open Web Application Security Project.
Principle of Least Privilege
A security principle requiring that every user, process, and system component be granted only the minimum permissions necessary to perform its function.