Skip to main content
AC

Acme Cloud

EthicPages logoVisit EthicPages

Audit Logging Policy

Last updated: January 15, 2026

Audit Logging and Monitoring Policy

Document owner: Chief Information Security Officer (CISO), with VP Engineering as co-owner Version: 3.0 Effective date: January 1, 2026 Last updated: January 15, 2026 Classification: Public — Trust Center Review cadence: Annual review; updates for infrastructure changes Company: Acme Cloud, Inc. Address: 1200 Market Street, Suite 400, San Francisco, CA 94103, USA Primary contacts: trust@acmecloud.com | security@acmecloud.com | privacy@acmecloud.com

Definitions and Key Terms

TermDefinition
Audit LogA chronological record of system activities that provides documentary evidence of the sequence of events
EventAn observable occurrence in a system or network, which may or may not be security-relevant
Security EventAn event that may affect the security of information systems or data
Log SourceA system, application, or device that generates log data
Log AggregationThe process of collecting logs from multiple sources into a centralized system
SIEMSecurity Information and Event Management — technology that provides real-time analysis of security alerts
Log RetentionThe period for which log data is stored before deletion or archival
Log IntegrityEnsuring that log data has not been tampered with or modified
Real-Time MonitoringContinuous observation of systems and events as they occur
AlertA notification triggered when specific conditions or thresholds are met
CorrelationAnalysis of events from multiple sources to identify patterns or incidents
Audit TrailA complete record of all activities that affect a particular operation, procedure, or event
Privileged ActivityActions performed by users with elevated access rights or administrative permissions
Access LogRecords of user authentication and authorization activities
Transaction LogRecords of database or application transactions
Change LogRecords of modifications to systems, configurations, or data
Network LogRecords of network traffic and connection activities
Application LogRecords generated by application software
System LogRecords generated by operating systems and infrastructure
Security LogRecords specifically related to security events and activities
Log FormatThe structure and syntax used to record log entries
TimestampThe date and time associated with a log entry
Log ParsingThe process of extracting structured data from log entries
Log AnalysisThe process of examining logs to identify patterns, anomalies, or incidents

Scope and Purpose

This Audit Logging and Monitoring Policy establishes Acme Cloud, Inc.'s requirements for generating, collecting, storing, protecting, and analyzing audit logs across all systems, applications, and infrastructure. The policy scope encompasses all production systems, development environments with access to production data, security systems, network infrastructure, cloud services, and third-party integrations that process Acme Cloud or customer data. The purpose is to maintain comprehensive visibility into system activities for security monitoring, incident investigation, compliance demonstration, operational troubleshooting, and forensic analysis.

Logging Objectives

ObjectiveDescriptionBenefit
Security DetectionIdentify security incidents and threats in real-timeRapid response
Incident InvestigationSupport forensic analysis of security eventsRoot cause determination
Compliance EvidenceDemonstrate regulatory and contractual complianceAudit readiness
AccountabilityMaintain attribution for all significant actionsNon-repudiation
Operational VisibilitySupport system troubleshooting and performance analysisSystem reliability
Change VerificationValidate authorized changes; detect unauthorized modificationsChange control

Scope Applicability

System CategoryIn ScopeLogging LevelExamples
Production ApplicationsYesComprehensiveSaaS platform, APIs, customer portals
Production InfrastructureYesComprehensiveAWS resources, databases, network
Security SystemsYesMaximumAuthentication, WAF, intrusion detection
Development EnvironmentsPartialModerateDev/staging with production data access
Internal ToolsYesStandardAdmin dashboards, internal apps
Third-Party ServicesYes (via integration)As availableSaaS vendors, integrations
Employee DevicesPartialEndpoint telemetryLaptops (via MDM/EDR)

Logging Requirements

Events Required to Log

Event CategoryRequired EventsSensitivityExamples
AuthenticationAll authentication attempts (success/failure); session eventsHighLogin, logout, MFA, SSO
AuthorizationAccess grants, denials, permission changesHighRBAC changes, access requests
Data AccessAccess to sensitive data; bulk operationsHighCustomer data queries, exports
Data ModificationCreate, update, delete of sensitive recordsHighCRUD on customer data
Administrative ActionsAll privileged user activitiesCriticalConfig changes, user management
Security EventsAlerts, rule triggers, policy violationsCriticalWAF blocks, IDS alerts
System EventsStartup, shutdown, service changesMediumRestarts, deployments
Configuration ChangesSystem and application configuration modificationsHighSettings, feature flags
Network ActivityConnection events, firewall decisionsMediumVPC flow logs, firewall logs
API ActivityAPI calls with authentication contextMediumREST/GraphQL requests
Error EventsApplication errors, exceptionsMediumUnhandled exceptions
Scheduled TasksExecution of automated processesLowCron jobs, batch processes

Logging Detail Requirements

Log ElementRequiredFormatPurpose
TimestampYesISO 8601 (UTC)Event ordering
Event TypeYesEnumerated/structuredClassification
Event SourceYesSystem identifierSource identification
Actor IdentityYesUser ID, service accountAttribution
Actor ContextYesIP address, session IDContext
Target ResourceYesResource identifierAffected object
Action PerformedYesAction verb/typeActivity description
OutcomeYesSuccess/failureResult status
Reason/DetailsConditionalText/structuredAdditional context
Correlation IDRecommendedUUIDRequest tracing
Tenant IDYes (multi-tenant)Tenant identifierTenant isolation

Log Format Standards

StandardRequirementImplementation
Structured FormatAll logs in JSON formatApplication logging
UTC TimestampsAll timestamps in UTCSystem configuration
Consistent SchemaFollow defined log schemasLog templates
Correlation SupportInclude trace/correlation IDsDistributed tracing
Tenant AttributionInclude tenant identifierApplication logging
Severity LevelsUse standard severity (DEBUG, INFO, WARN, ERROR, CRITICAL)Logging framework

Log Categories and Sources

Application Logs

Log TypeSourceEvents CapturedRetention
Authentication LogAuth serviceLogin, logout, MFA, password changes12 months
Authorization LogApplicationPermission checks, role assignments12 months
Audit LogApplicationUser actions affecting data12 months
API Access LogAPI gatewayAll API requests with auth context12 months
Error LogApplicationExceptions, failures, warnings6 months
Performance LogAPMResponse times, throughput, errors3 months

Infrastructure Logs

Log TypeSourceEvents CapturedRetention
AWS CloudTrailAWSAll AWS API activity12 months
VPC Flow LogsAWS VPCNetwork traffic metadata6 months
ELB Access LogsAWS ELBLoad balancer access6 months
RDS Audit LogAWS RDSDatabase activity12 months
S3 Access LogsAWS S3Object access12 months
CloudWatch LogsAWSSystem and application logsPer category

Security Logs

Log TypeSourceEvents CapturedRetention
WAF LogsCloudflare/AWS WAFWeb attack detection, blocks12 months
IDS/IPS LogsSecurity monitoringIntrusion detection alerts12 months
EDR LogsEndpoint protectionEndpoint security events12 months
SIEM AlertsDatadogCorrelated security alerts12 months
Certificate LogsPKI/TLSCertificate operations24 months
Secrets AccessSecrets ManagerSecrets access audit12 months

Database Logs

Log TypeDatabaseEvents CapturedRetention
Query Audit LogPostgreSQLDDL, DML on sensitive tables12 months
Connection LogPostgreSQLConnection attempts6 months
Error LogPostgreSQLDatabase errors6 months
Slow Query LogPostgreSQLPerformance issues3 months
Replication LogPostgreSQLReplication status3 months

Log Collection and Aggregation

Architecture Overview

ComponentTechnologyPurposeAvailability
Log ShippingAWS CloudWatch Agent, Datadog AgentCollect from sources24/7
AggregationDatadog Log ManagementCentralize logs24/7
SIEMDatadog Security MonitoringSecurity analysis24/7
Long-Term StorageAWS S3 (encrypted)Compliance retention24/7
BackupCross-region S3 replicationDisaster recovery24/7

Collection Requirements

RequirementSpecificationRationale
Real-Time Collection<60 seconds from generation to SIEMRapid detection
Reliable DeliveryAt-least-once deliveryNo log loss
Encryption in TransitTLS 1.2+ for all log transportConfidentiality
CompressionEnable compression for high-volume sourcesEfficiency
BufferingLocal buffer for network interruptionsReliability
Health MonitoringAlert on collection failuresCompleteness

Log Pipeline Metrics

MetricDefinitionTargetAlert Threshold
Collection LatencyTime from event to SIEM availability<60 seconds>300 seconds
Log VolumeEvents per second processedBaseline ± 50%>2x or <50%
Parse FailuresFailed log parsing rate<0.1%>1%
Storage UtilizationLog storage usage<80%>90%
Pipeline HealthCollection agent status100% healthyAny unhealthy

Security Monitoring and Alerting

Monitoring Approach

ApproachDescriptionUse Case
Rule-Based DetectionPredefined rules triggering on specific patternsKnown threats
Threshold AlertingAlerts when metrics exceed thresholdsAnomaly detection
CorrelationCross-source event correlationComplex attacks
Behavioral AnalysisBaseline deviation detectionUnknown threats
Threat IntelligenceIOC matching against known indicatorsEmerging threats

Detection Rules Categories

CategoryExamplesPriority
Authentication AttacksBrute force, credential stuffing, impossible travelCritical
Privilege EscalationUnauthorized admin access, permission changesCritical
Data ExfiltrationBulk data access, unusual download patternsCritical
Malware ActivityKnown malware signatures, C2 communicationCritical
Insider ThreatUnusual data access patterns, policy violationsHigh
Configuration ChangesUnauthorized config modificationsHigh
Network AnomaliesUnusual traffic patterns, blocked connectionsMedium
Application ErrorsError rate spikes, new error typesMedium

Alert Severity Levels

SeverityDefinitionResponse SLANotification
CriticalActive attack; data compromise likely15 minutesPagerDuty immediate
HighSignificant security event; investigation required1 hourPagerDuty + Slack
MediumPotential security concern; review needed4 hoursSlack + email
LowInformational; trend monitoring24 hoursDashboard

Alert Response Requirements

Alert TypeInitial ResponseInvestigationDocumentation
CriticalAcknowledge within 15 min; begin containmentFull investigationIncident ticket required
HighAcknowledge within 1 hour; assess scopeTargeted investigationIncident ticket required
MediumAcknowledge within 4 hours; review contextAs warrantedLog as appropriate
LowReview during business hoursTrend analysisNone required

Log Protection and Integrity

Log Security Controls

ControlImplementationPurpose
Encryption at RestAES-256 encryption for all stored logsConfidentiality
Encryption in TransitTLS 1.2+ for all log transportConfidentiality
Access ControlRBAC; principle of least privilegeAuthorization
ImmutabilityWrite-once storage for compliance logsIntegrity
Separation of DutiesLog administrators ≠ system administratorsNon-repudiation
Tampering DetectionHash verification; anomaly detectionIntegrity

Access Control Matrix

RoleView LogsSearch LogsExport LogsModify SettingsDelete Logs
Security TeamAllAllWith approvalYesNo
SRE TeamInfrastructureInfrastructureWith approvalLimitedNo
EngineeringApplication (own team)LimitedNoNoNo
ComplianceAudit logsAudit logsWith approvalNoNo
ExecutiveDashboardsNoNoNoNo
External AuditorAs provisionedAs provisionedWith approvalNoNo

Log Integrity Verification

VerificationMethodFrequencyOwner
Hash VerificationSHA-256 checksums on archived logsAt archive; on accessAutomated
Completeness CheckGap detection in log sequencesDailyAutomated
Tampering DetectionSIEM rule for log modification attemptsReal-timeSecurity team
Chain of CustodyDocumented access for forensic logsPer investigationSecurity team

Retention and Archival

Retention Schedule

Log CategoryHot StorageWarm StorageCold/ArchiveTotal Retention
Security Events90 days9 months24 months36 months
Authentication30 days11 months24 months36 months
Audit Logs90 days9 months24 months36 months
Application Errors30 days5 months6 months12 months
API Access30 days5 months6 months12 months
Infrastructure30 days5 months6 months12 months
Performance/Debug7 days23 daysN/A30 days

Storage Tiers

TierDescriptionAccess TimeCostUse Case
HotFully indexed; real-time queriesMillisecondsHighActive monitoring
WarmIndexed; slower queriesSecondsMediumInvestigation
ColdArchived; retrieval requiredMinutes-hoursLowCompliance retention

Deletion and Disposal

ActivityRequirementVerificationDocumentation
Automated DeletionPer retention scheduleDeletion logsRetention policy
Legal HoldSuspend deletion when requiredHold registryLegal notice
Manual DeletionProhibited except with approvalAudit trailException request
Disposal VerificationConfirm permanent deletionDeletion certificateCompliance records

Monitoring Operations

Operational Metrics

MetricDescriptionTargetCurrent
SIEM AvailabilityUptime of monitoring platform99.9%99.95%
Alert Response TimeTime to acknowledge alerts<15 min (Critical)8 min avg
False Positive RatePercentage of non-actionable alerts<20%18%
Detection CoveragePercentage of log sources monitored100%100%
Rule EffectivenessAlerts leading to valid investigation>50%62%

Review Cadence

Review ActivityFrequencyOwnerOutput
Alert TriageContinuousSecurity on-callAlert disposition
Daily Summary ReviewDailySecurity teamDaily brief
Weekly Trend AnalysisWeeklySecurity leadTrend report
Rule TuningMonthlySecurity teamRule updates
Retention AuditQuarterlyComplianceAudit report
Architecture ReviewAnnualSecurity + EngineeringImprovements

Capacity Planning

ResourceCurrent UsageThresholdExpansion Plan
Log Ingestion2TB/day4TB/dayAuto-scaling
Hot Storage180TB250TBAuto-scaling
Query Capacity70%85%Scale monitoring
Archive Storage1.2PB2PBS3 auto-scaling

Numbered Policy Statements

  1. Logging Mandate: All production systems, security systems, and systems processing customer data must generate audit logs capturing security-relevant events.

  2. Centralized Collection: All logs must be collected and aggregated in the centralized logging platform (SIEM) for security monitoring and analysis.

  3. Real-Time Monitoring: Security-relevant logs must be monitored in real-time with automated alerting for critical and high-severity events.

  4. Retention Compliance: Logs must be retained for the periods specified in the retention schedule to meet regulatory, contractual, and forensic requirements.

  5. Log Integrity: Log data must be protected from unauthorized modification or deletion through encryption, access controls, and integrity verification.

  6. Access Control: Access to log data must be restricted based on role and need-to-know, with all access logged for accountability.

  7. Timestamp Accuracy: All logged events must include accurate UTC timestamps synchronized via NTP to enable event correlation.

  8. Structured Logging: Applications must generate structured logs (JSON format) following defined schemas to enable automated analysis.

  9. PII Protection: Logs must not contain unencrypted passwords, tokens, or excessive personal data; sensitive data must be masked or excluded.

  10. Alert Response: Security alerts must be acknowledged and investigated within the timeframes specified by severity level.

  11. Collection Monitoring: Log collection infrastructure must be monitored for failures, with alerts on any gaps in expected log volume.

  12. Legal Hold: Log deletion must be suspended when litigation hold or regulatory preservation requirements are in effect.

  13. Forensic Capability: Log infrastructure must support forensic investigation including secure export, chain of custody, and integrity verification.

  14. Annual Review: Logging requirements, detection rules, and retention policies must be reviewed annually and updated as needed.

Framework Appendix

Compliance Mapping

RequirementSOC 2 CriteriaISO 27001 ControlHIPAA ProvisionImplementation
Audit loggingCC7.2A.12.4.1§164.312(b)This policy
Log protectionCC7.2A.12.4.2§164.312(c)(1)Integrity controls
Log retentionCC7.2A.12.4.1§164.312(b)Retention schedule
Log reviewCC7.2A.12.4.1§164.308(a)(1)(ii)(D)Monitoring operations
Time synchronizationCC7.2A.12.4.4§164.312(b)NTP configuration
Access loggingCC6.1A.12.4.3§164.312(b)Access logs

NIST CSF Mapping

CSF CategorySubcategoryPolicy Implementation
DE.AE-3Event data collected and correlatedLog collection and SIEM
DE.CM-1Network monitoringVPC flow logs; network logs
DE.CM-3Personnel activity monitoringUser activity logs
DE.CM-7Monitoring for unauthorized accessAuthentication logging
PR.PT-1Audit records determined, documentedThis policy
RS.AN-3Forensics performedLog retention; integrity

PCI DSS Logging Requirements (Reference)

PCI DSS RequirementApplicabilityImplementation
10.1Audit trailsComprehensive logging
10.2Log specific eventsEvent requirements matrix
10.3Log entry contentLog detail requirements
10.4Time synchronizationUTC timestamps; NTP
10.5Secure logsProtection controls
10.6Log reviewMonitoring operations
10.7Log retention12-month minimum

Related Trust Center documents

security overview, incident response, access control, data retention, encryption standards, compliance frameworks

Document revision history

VersionDateAuthorSummary of changes
1.02024-06-01Legal & ComplianceInitial Trust Center publication
2.02025-03-15GRC ProgramSOC 2 Type II alignment refresh; expanded subprocessors
2.52025-09-01Security EngineeringEncryption standards update; ISO 27001 mapping
3.02026-01-15Trust Center ProgramFull procurement-grade expansion; 34-document set

Contact

Acme Cloud, Inc. 1200 Market Street, Suite 400 San Francisco, CA 94103, USA

ChannelEmailUse case
Trust & procurementtrust@acmecloud.comSecurity questionnaires, trust reviews
Securitysecurity@acmecloud.comIncidents, vulnerabilities, control questions
Privacyprivacy@acmecloud.comDSRs, privacy assessments
Legallegal@acmecloud.comContractual, DPA, legal notices

Logging Operations Contacts

ContactRoleUse Case
security@acmecloud.comSecurity TeamAlert investigation; log access requests
sre-oncall@acmecloud.comSRE On-CallLog infrastructure issues
logging-support@acmecloud.comLogging TeamLog collection issues; format questions
legal@acmecloud.comLegalLegal hold; forensic requests

Appendix: Log Review Checklist

Review ItemFrequencyOwnerDocumentation
Critical alert reviewDailySecurity on-callAlert notes
High alert reviewDailySecurity teamAlert notes
Authentication anomaly reviewDailySecurity teamReview log
Privileged activity reviewWeeklySecurity teamReview log
Failed login trend analysisWeeklySecurity teamTrend report
Data access pattern reviewWeeklySecurity teamPattern report
Rule effectiveness analysisMonthlySecurity leadTuning report
Retention compliance checkQuarterlyComplianceAudit report
Log coverage assessmentAnnuallySecurity + EngineeringGap analysis

Document Version: 3.0 Last Updated: January 15, 2026

Last updated: January 15, 2026
EthicPages logoEthicPages