Understanding Security Audit Logs

2 min read Infrastructure & DevOps Security

Understanding Security Audit Logs

Security audit logs provide a chronological record of system events, user activities, and security-relevant changes. These logs serve multiple purposes including forensic investigation, compliance documentation, threat detection, and operational troubleshooting. Understanding different log types and their security implications helps administrators implement comprehensive logging strategies that capture critical events without overwhelming storage or analysis capabilities.

Windows Security Event Log contains authentication events, privilege usage, object access attempts, and policy changes. Event IDs provide standardized identification for specific activities:

# Critical Windows Security Event IDs
# 4624 - Successful logon
# 4625 - Failed logon
# 4648 - Logon with explicit credentials
# 4672 - Special privileges assigned
# 4697 - Service installed
# 4698 - Scheduled task created
# 4720 - User account created
# 4732 - Member added to security group

# Query specific security events
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625} -MaxEvents 100 |
    Select-Object TimeCreated, Message |
    Where-Object {$_.Message -like "*0xC000006A*"}  # Bad password attempts

Linux audit logs vary by distribution but typically include authentication logs, system logs, and application logs. The systemd journal provides centralized logging on modern distributions:

# View authentication failures
journalctl -u ssh.service | grep "Failed password"
grep "Failed password" /var/log/auth.log

# System security events
ausearch -m LOGIN --failed
aureport --auth --failed

# Check sudo usage
journalctl _COMM=sudo
grep sudo /var/log/secure  # RHEL/CentOS

Log retention policies balance storage constraints with investigative needs. Security logs require longer retention periods than operational logs, with many compliance frameworks mandating specific retention durations. Implement log rotation with compression to maximize retention within storage limits:

# Linux logrotate configuration for security logs
cat > /etc/logrotate.d/security << EOF
/var/log/secure /var/log/auth.log {
    daily
    rotate 365
    compress
    delaycompress
    missingok
    notifempty
    create 0600 root root
    sharedscripts
    postrotate
        /bin/kill -HUP `cat /var/run/rsyslogd.pid 2> /dev/null` 2> /dev/null || true
    endscript
}
EOF