Support FAQ

What is Audit Logging?

Back to learning

Audit logging is the practice of recording events so a team can explain what happened later. Good logs are decision evidence. They help security teams investigate abuse, platform teams debug control changes, fraud teams review account activity, and compliance teams show that important controls actually ran.

The goal is not to log everything. Logging everything creates cost, privacy risk, noisy alerts, and incident exposure if the logs are compromised. The goal is to record the events that matter, in a form that can be trusted, queried, retained for the right period, and protected from misuse.

Logs Should Answer a Real Question

Start with the decisions the organisation may need to defend. Who accessed customer data? Which administrator changed a production setting? Why was a login challenged or blocked? Which API key called a sensitive route? Did a deployment change the checkout path? Which policy version was active when a request was allowed? Which support user exported records?

Those questions define the log design. A useful event usually records the actor, action, target, time, source, result, route, system, policy, and enough context to interpret the event. For security decisions, that context may include risk score, rate-limit key, bot classification, IP or network signal, device signal, account identifier, and the action taken.

Logs also need consistency. If every service invents its own field names and timestamp formats, investigations become slow and unreliable. Use common event types, stable identifiers, UTC timestamps where appropriate, and correlation IDs that connect the request path across edge, application, identity, payment, and support systems.

What to Log and What to Avoid

Log useful evidence Avoid by default
Authentication success and failure, MFA result, password reset, account lockout, and session invalidation Passwords, one-time codes, recovery answers, or full authentication secrets
Authorisation decisions, privileged access, permission changes, and denied sensitive actions Broad payload capture where only the decision result is needed
Administrative changes to production, security policy, DNS, CDN, checkout, API, or logging configuration Unredacted card data, health details, tokens, cookies, or API secrets
Data access, exports, deletions, retention jobs, and support impersonation where allowed Free-text customer data copied into operational notes without need
Security actions such as allow, challenge, rate limit, block, and log-forwarding outcomes High-cardinality noise that no team will review or retain

The privacy and security tension is real. Security teams need enough detail to detect credential stuffing, enumeration, account takeover, API abuse, insider misuse, and control failure. Privacy teams need data minimisation, access limits, and retention discipline. A good logging design records the facts needed for investigation while keeping sensitive content out of general telemetry.

Retention, Integrity, and Access

Retention should follow purpose. Some operational logs are useful for days. Security investigation logs may be needed for longer. Regulated data access logs may have a defined retention period. Keeping everything forever is rarely defensible, but deleting evidence too soon can leave teams blind during an incident or audit.

Integrity matters because logs are often used after something has gone wrong. Protect logs from alteration by restricting write and delete permissions, separating log storage from the systems being monitored, forwarding events quickly to a central destination, and retaining enough metadata to show where the event came from. Cryptographic signing or immutability may be appropriate for higher-risk environments, but access control and separation are the starting points.

Access to logs should be treated like access to production data. Logs can contain personal data, account identifiers, IP addresses, security decisions, and sometimes sensitive mistakes. Limit who can query them, monitor log access, and redact values before forwarding them into broad analytics or support tools.

Queryability Is Part of the Control

A log that exists but cannot be searched during an incident is not very useful. Teams need indexes, fields, dashboards, and runbooks that match the questions they ask under pressure. Can analysts find all requests for an account? Can they see all actions by an administrator? Can they trace a blocked checkout attempt from edge policy to origin response? Can they export evidence without copying unnecessary sensitive data?

SIEM and log-forwarding pipelines should preserve structure rather than turning events into loose text. Peakhour's log forwarding and edge decision records can support this by sending security actions, route context, scores, and policy outcomes into the customer's chosen tools. That evidence supports security and compliance work; it does not replace the organisation's retention, access, privacy, or audit decisions.

What Teams Need to Decide

Define the events that matter, the fields each event must include, the data that must never be logged, the retention period, the owner, and the review path. Then test it with a real scenario: a suspicious login burst, a changed payment rule, a support export, or a blocked API request.

If the team can reconstruct the timeline, explain the decision, and preserve evidence without exposing unnecessary sensitive data, the audit logging design is doing its job.

Related Articles

AI Crawler User Agents

A practical reference for common AI crawler user agents, operators, purposes, and recommended Peakhour bot-management actions.

AI For Cybersecurity

AI For Cybersecurity explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.

AI Image Generation

AI Image Generation explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.

© PEAKHOUR.IO PTY LTD 2026   ABN 76 619 930 826    All rights reserved.