Audit Logging

Audit logging is the process of recording events and activities on your systems so you can track what happened, when it happened, and who did it. Audit logs capture user logins, file access, configuration changes, security events, and other activities that are important for security monitoring, incident investigation, and compliance verification.

Effective audit logging requires not just turning on logs, but defining what to log, protecting log integrity (preventing tampering), retaining logs for an appropriate period, and actually reviewing them regularly. Logs are useless if nobody looks at them — regular log review is essential for detecting suspicious activity.

Why It Matters

Audit and accountability is a full CMMC domain. Assessors will verify that you're logging the right events, protecting your logs, retaining them appropriately, and reviewing them regularly. Without audit logs, you have no visibility into what's happening on your systems.

Related Resources

CMMC: AU.L2-3.3.4
NIST 800-171: 3.3.4
NIST 800-53: AU-5
NIST 800-53: AU-5(5)
NIST 800-53: AU-15
NIST 800-53: AU-16