Supercharge Your IT Monitoring
Download this e-book to learn about the 3 Pillars of Observability.
Audit logs, or audit trails, answer a simple question: who did what, where and when?
So, in this article, we’ll answer our own simple question: How can you use audit logs, and what use cases do audit logs best support?
When you use a technology service or product, audit logs are generated in response to every user action and response from the technology system. These logs capture information that can be used to…
Though these micro-actions behind audit logs are important in their own ways, the bigger purpose is greater. The idea behind collecting audit logs is two-fold:
At every step, a trail of log metrics data or metadata is generated and recorded by the systems. This information is documented and can later be used for a variety of use cases security, monitoring and performance analysis and cyber forensics.
(Read about the related practices of log aggregation & log management.)
Audit logs comprise the following information:
(Understand the difference between logs & metrics.)
Audit logging can have four key domain applications:
In terms of security, audit logs can be used to identify anomalous behavior and network traffic patterns. InfoSec teams can integrate the audit logging mechanism to their monitoring and observability solutionsinfo to extract insights on potential security incidents.
For authentication and detection of unauthorized network changes, this can be achieved by testing network change actions against predefined security policies — looking at the delta. These policies define how network and IT resources are allowed to be accessed – in terms of entity, location, roles and attributes, as well as action frequency and location.
If your organization has to comply with external regulations, your organization may be required to keep specific audit logs and establish monitoring capabilities that test the systems for compliance by analyzing audit logs in real-time. For instance:
(See how Splunk supports organizational compliance.)
As with standard audit procedures, audit logging is frequently used for accountability and verification of factual information. Common applications include:
In this context, audit logging is an important part of analyzing how users perform an action and the accuracy of information recorded by the systems. For example, audit logging can quickly enable systems and uncover insights into the use of financial resources across all departments. Imagine a world where all this was easy and straightforward:
Cyber forensics is another key application domain of audit logging practices that require reconstruction of events and insights into a technology process. Often, this might stand up as legal evidence in a court of law.
Typically, businesses aren’t conducting cyber forensics for all their activities. Instead, cyber forensics is usually required in two situations:
Audit logs are used to outline the action sequences that connect a user to an action. Investigators can analyze audit logs to gain deeper insights into various scenarios and outcomes represented by the audit logs. This requires a thorough analysis of raw logging data before it is converted into insightful knowledge.
(Explore cyber forensics & the differences from auditing.)
Considering the vast volume of network, hardware and application logs generated at scale, IT teams can be easily overwhelmed by the audit trail data. In order to gain the right insights with your audit log metrics data, you can adopt the following best practices:
Establish a data platform that can integrate and store data of all structural formats at scale. Data platform technologies such as a data lake are commonly used to capture real-time log data streams with a schema-on-read consumption model.
Third-party analytics and monitoring tools are integrated to make sense of this information in real-time, while only processing the most relevant portions of audit logs data based on the tooling specifications for data structure.
Use statistical models to generalize system behavior instead of using predefined and fixed thresholds to capture data. Since the network behavior evolves continuously, models based on machine learning can continuously learn and adapt.
These models are helpful for accurate analysis of audit logs, where thresholds for anomalous behavior can be a moving target.
Store audit logging data in secure environments with high standards of confidentiality, integrity and availability — known as the CIA triad. Modified audit logs and misconfigured networking systems can generate misleading information, and likely lead your log analysis to incorrect conclusions.
Finally, it is important to understand that data stores that integrate large volumes of real-time log data streams can grow exponentially. When designing the data platform for audit log analysis, evaluate the cost, security and performance of your data platform against your security and compliance requirements.
(And remember: you don’t need this data forever and ever — it’s not sustainable.)
This posting does not necessarily represent Splunk's position, strategies or opinion.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.