Security Audit Logging
Table of Contents
Overview
Implement comprehensive audit logging for security events, user actions, and system changes with structured logging, retention policies, and SIEM integration.
When to Use
- Compliance requirements (SOC 2, HIPAA, PCI-DSS)
- Security monitoring
- Forensic investigations
- User activity tracking
- System change auditing
- Breach detection
Quick Start
Minimal working example:
// audit-logger.js
const winston = require("winston");
const { ElasticsearchTransport } = require("winston-elasticsearch");
class AuditLogger {
constructor() {
this.logger = winston.createLogger({
level: "info",
format: winston.format.combine(
winston.format.timestamp(),
winston.format.json(),
),
transports: [
// File transport
new winston.transports.File({
filename: "logs/audit.log",
maxsize: 10485760, // 10MB
maxFiles: 30,
tailable: true,
}),
// Elasticsearch transport for SIEM
new ElasticsearchTransport({
level: "info",
clientOpts: {
// ... (see reference guides for full implementation)
Reference Guides
Detailed implementations in the references/ directory:
| Guide | Contents |
|---|---|
| Node.js Audit Logger | Node.js Audit Logger |
| Python Audit Logging System | Python Audit Logging System |
| Java Audit Logging | Java Audit Logging |
Best Practices
✅ DO
- Log all security events
- Use structured logging
- Include timestamps (UTC)
- Log user context
- Implement log retention
- Encrypt sensitive logs
- Monitor log integrity
- Send to SIEM
- Include request IDs
❌ DON'T
- Log passwords/secrets
- Log sensitive PII unnecessarily
- Skip failed attempts
- Allow log tampering
- Store logs insecurely
- Ignore log analysis