May 03, 2018

What is Audit Logging and Audit Trail?

Audit logging is the process of documenting activity within the software systems used across your organization. Audit logs record the occurrence of an event, the time at which it occurred, the responsible user or service, and the impacted entity. All of the devices in your network, your cloud services, and your applications emit logs that may be used for auditing purposes.

A series of audit logs is called an audit trail because it shows a sequential record of all the activity on a specific system. By reviewing audit logs and correlated audit trails, systems administrators can track user activity, and security teams can investigate breaches and ensure compliance with regulatory requirements.

What do Audit Logs and Audit Trails Document?

Audit logs capture the following types of information:

    1. Event name as identified in the system
    2. Easy-to-understand description of the event
    3. Event timestamp
    4. Actor or service that created, edited, or deleted the event (user ID or API ID)
    5. Application, device, system, or object that was impacted (IP address, device ID, etc.)
    6. Source from where the actor or service originated (country, host name, IP address, device ID, etc.)
    7. Custom tags specified by the user, such as severity level of the event

    While audit logs can take the form of a physical file, the term usually refers to digital records that you can store in a log management platform.

    What Types of Activity Do Audit Logs Track?

    Organizations typically use audit logs to track the following types of activity:
    Administrative activity: This includes events like creating or deleting a user account, such as deleting a user from your CRM tool (e.g., Salesforce).

    Data access and modification This includes events where a user views, creates, or modifies data, such as downloading a file from payroll software (e.g., Workday).

    User denials or login failures Audit logs such as Okta and VPN logs may capture when a user is unable to login to a system (e.g., due to invalid credentials) or is denied access to resources like a specific URL.

    System-wide changes Audit logs from sources like AWS Cloudtrail may capture larger events occurring within a network, such as a user creating a new VM instance or creating a new application.

    The decision of exactly which activity to audit is left to each organization. Systems administrators, security engineers, and human resources (HR) personnel may all wish to audit different systems for different reasons.

    How Audit Logging Works?

    Most technologies in your tech stack will offer a UI where you can enable audit log collection. Depending on the specific tool, you may also have more granular control over audit log collection. For example, cloud vendors such as Amazon Web Services, Microsoft Azure, and Google Cloud automatically collect a wide range of audit logs. However, you may have to enable audit logging for certain services or certain types of activity to ensure you have enough data to prove compliance or investigate an incident.

    Teams can send their audit logs to a central log management platform for easy storage, search, and analysis. In order to send your logs to a log management platform, you’ll need to install an agent on your hosts or utilize a direct integration between the logging platform and the software that you’re collecting audit logs from.

    What are the Benefits of Audit Logging?

    Whereas in the past audit logging was more common in specific industries like finance and insurance, it is now front and center for all types of companies with a digital footprint. Across industries, audit logging can be used to achieve the following important goals:

    1. Ensuring compliance with industry regulations Regulations like CIS, PCI DSS, and SOC 2 affect a wide variety of industries. Audit logs can be used to show that your organization met certain benchmarks (e.g., password security for CIS) during a specific time period.

    2. Troubleshooting system issues Audit logs contain detailed historical information that can be used to reconstruct the timeline of a system outage or incident. For instance, logs can help distinguish between operator error and system error. Audit trails can also be used to remediate a problem, such as potentially restoring a corrupted file to its original state by examining what changes were made to it.

    3. Reconstructing security breaches When breaches occur, an audit trail can help organizations find out how they happened. For example, if an employee complains that their bank account information is incorrect in the payroll system, HR staff can examine audit logs to determine who changed the account information and when.

    4. Recommending new security and audit procedures Organizations can enforce individual accountability and reduce the likelihood of security breaches or fraudulent activity by reviewing audit logs and recommending new security procedures.

    5. Providing legal evidence In legal proceedings, audit logs can provide proof of validity of a specific event, such as an individual’s e-signature on a document.

    What to Look For in an Audit Logging Tool?

    When searching for an audit logging solution, these are the main factors to look for:

    1. Completeness The auditing solution should collect all relevant details to maintain a complete audit trail. For example, a tool that captures user activity but not location and time is incomplete.

    2. Consistency To avoid using multiple different tools, an auditing solution should capture details consistently across devices and browsers. For example, a tool that captures correct historical details on web properties but not on mobile devices would be inconsistent.

    3. Easy parsing and querying To efficiently analyze audit logs, the logging tool must be able to parse raw log data into structured data that contains the relevant information (e.g., event name, event description, user ID, etc.). Once parsed, an audit logging tool should also make it easy to search for specific audit logs using tags.

    4. Access control Teams should have the ability to control who can view the audit logs and encrypt any sensitive data within them.

    5. Alerting The relevant teams should be notified as soon as a critical event is identified by an audit log.

    6. Cost An audit logging tool should provide a cost-effective way to store logs for long time periods as required by company policy or regulatory requirements.

    To track activity within Datadog itself, you can leverage the Audit Logs Explorer, which records all calls made to Datadog’s API and product-specific changes. Having this audit trail makes it easy to, for example, view all changes leading up to a breaking event or determine if someone modified a log processing pipeline, causing a dashboard or monitor to break.

    Placeholder text by Elderberry Tech Facebook Page .

 
READ IN MOBILE