Security Audit Logging

Table of Contents

• Overview
• When to Use
• Quick Start
• Reference Guides
• Best Practices

Overview

Implement comprehensive audit logging for security events, user actions, and system changes with structured logging, retention policies, and SIEM integration.

When to Use

• Compliance requirements (SOC 2, HIPAA, PCI-DSS)
• Security monitoring
• Forensic investigations
• User activity tracking
• System change auditing
• Breach detection

Quick Start

Minimal working example:

// audit-logger.js
const winston = require("winston");
const { ElasticsearchTransport } = require("winston-elasticsearch");

class AuditLogger {
  constructor() {
    this.logger = winston.createLogger({
      level: "info",
      format: winston.format.combine(
        winston.format.timestamp(),
        winston.format.json(),
      ),
      transports: [
        // File transport
        new winston.transports.File({
          filename: "logs/audit.log",
          maxsize: 10485760, // 10MB
          maxFiles: 30,
          tailable: true,
        }),

        // Elasticsearch transport for SIEM
        new ElasticsearchTransport({
          level: "info",
          clientOpts: {
// ... (see reference guides for full implementation)

Reference Guides

Detailed implementations in the references/ directory:

Best Practices

✅ DO

• Log all security events
• Use structured logging
• Include timestamps (UTC)
• Log user context
• Implement log retention
• Encrypt sensitive logs
• Monitor log integrity
• Send to SIEM
• Include request IDs

❌ DON'T

• Log passwords/secrets
• Log sensitive PII unnecessarily
• Skip failed attempts
• Allow log tampering
• Store logs insecurely
• Ignore log analysis