Security Logging, Monitoring & Audit Trails
Security logging is the practice of recording events in your systems so that you can detect attacks, investigate incidents, and demonstrate compliance. Without adequate logging, security incidents are impossible to detect in real time and difficult to investigate after the fact.
What We Log
- Authentication events: Successful logins, failed login attempts, password resets, MFA events, account lockouts
- Authorisation events: Access denied events, privilege escalations
- Data access: Access to sensitive data (personal data, financial records) — who accessed what and when
- Data modification: Create, update, delete operations on critical data
- API calls: All API requests with caller identity, endpoint, response code
- System events: Service starts/stops, configuration changes, deployment events
- Security events: WAF rule triggers, rate limit breaches, suspicious patterns
Log Integrity
Logs must be protected from tampering. We write logs to append-only storage, centralise them in a separate log management system (AWS CloudWatch, Azure Monitor, Datadog, ELK Stack) where they are protected independently of the application.
Alerting
Logs are only valuable if they are monitored. We configure alerts for: multiple failed login attempts, access from unusual geographies, after-hours access to sensitive data, sudden spikes in error rates, and changes to security-critical configuration.
Retention
Log retention periods should meet regulatory requirements. UK GDPR and most compliance frameworks require minimum 6 months retention; we recommend 12 months for security logs.