Audit logs provide valuable insights into the operations of a system. Audit logs can record who accessed the system, what actions they performed, and other details about users. Additionally, audit logs can be configured to record all system calls and program actions. All of this makes audit logs very valuable for investigations, whether they be security related or as to why a system or application may be failing.
Since audit logs can be a valuable tool in investigations of system anomalies or security issues, it is important to generate and protect audit logs.
Audit logs need to be created for user and system actions, including logins and logouts, privileged actions, assuming roles or permissions, and many other details for the system and applications. The logs need to include an accurate time, who performed the action, and what action, and also if the action was blocked or allowed. The audit logs should be shipped off the local system to a central collection point. The logs need to be protected from change, they should be immutable and a cryptographic hash or signature needs to be recorded for each file or entry.