Audit Logging in Resmo: What It Is & How It Works

With Audit Logs, the recent addition to Resmo’s monitoring capabilities, Resmo users can better track all activities and system events across their environments at a glance and in detail.

Audit logging is a game-changer in various fields, especially in IT, where they can be used to:

• Track changes to systems
• Troubleshoot issues
• Support forensic investigations
• Detect anomalies or security incidents

Let’s break down Audit Logging to help you make the most out of this feature on Resmo. For technical details, also visit the documentation.

What is Audit Logging?

Audit logging, also known as audit trailing, is a security process that systematically tracks and records activities taking place in an information system. It creates a trail of actions performed by system users, providing visibility into who did what, where, and when, which can be crucial for accountability, system troubleshooting, and compliance with various regulations.

Types of information that audit logging typically captures include:

• User Activity: Audit logs record the activities of individual users, including login times, commands executed, files accessed, and changes made.
• System Events: These logs capture significant occurrences within the system, like startups, shutdowns, errors, and crashes.
• Data Access and Changes: Details of data accessed, modified, deleted, or moved within the system are recorded.
• Security Incidents: Any suspicious or unauthorized activities, failed login attempts, or policy violations get logged.
• Configuration Changes: Modifications to system settings, user privileges, or security controls are tracked.
• Time and Date: Timestamps are attached to each event or action to indicate when it occurred.

Here are a few real-life examples:

• Unsuccessful login attempt through Atlassian Access
• User failed to login from an unkown IP address.
• This API token has made too many requests.
• Drive file was edited by X user from X IP address 2 hours ago.

Audit Logs vs. Regular System Logs

Audit logs and system logs are both essential elements of a robust logging strategy, but they serve different purposes and capture different types of information.

Audit Logs

Audit logs are primarily designed for security and compliance. They track and record user activities to create a chronological record of who did what, when, and where within a system. This information can be critical for investigations, troubleshooting, regulatory compliance, and maintaining accountability. Audit logs typically include:

• Who performed the action (user identification)
• What action was performed
• When the action took place (timestamp)
• Where the action was performed (system or network location)
• The status or result of the action

System Logs

System logs, on the other hand, are more general and provide information about the system itself rather than specific user activities. They record events that occur within the system's operating environment, such as system errors, operational status, warnings, and other technical details useful for system administration and debugging. System logs typically include:

• System errors and warnings
• System startups and shutdowns
• Hardware changes or errors
• Software installation and updates
• Network activities and errors

While there can be overlap, audit logs tend to focus on user activities for security and compliance purposes, whereas system logs concentrate on system operations and performance. Both are critical for maintaining system health, security, and meeting regulatory requirements.

What Types of Activity Do Audit Logs Track?

Audit logs are used to track and record a wide range of activities within an information system. The exact types of activities can vary depending on the integrated system, but commonly tracked activities include:

• ‍User Login/Logout Activity‍

Recording when users log in or out of the system, and from what IP address, can be essential for identifying unauthorized access attempts or unusual login patterns.

• ‍Data Access

‍This includes tracking when users access or retrieve data from the system, which can help ensure that sensitive information is only being accessed by authorized individuals.

• ‍Data Modifications

‍Changes to data, such as updates, deletions, or additions, are typically logged. This is important for maintaining data integrity and for troubleshooting any issues related to data changes.

• ‍System Changes

‍Modifications to the system itself, including changes to configurations, permissions, or policies, are generally logged. This can be critical for identifying actions that may impact system security or performance.

• ‍Failure Events

‍Failed attempts to access the system or data, failed transactions, or other system errors are often logged. This can provide important insights into potential security threats or system issues.

• ‍Security Events

‍Any actions that trigger security alerts or violate security policies are typically logged. This can include multiple failed login attempts, attempts to access restricted areas, or other suspicious behavior.

How Do Audit Logs Work?

Resmo employs an innovative approach to audit logging by first initiating an initial polling process once a platform is integrated, gathering all available audit logs for data retention. Following this, Resmo transitions to smart polling, a method that periodically polls integrated systems to capture new audit logs in real-time, keeping data up-to-date and enabling swift identification of any irregularities. 

Additionally, if the integrated system supports webhook events for audit logs, Resmo configures itself to listen for these, allowing for the instantaneous recording of new logs as they are generated. 

This data is then thoroughly analyzed by Resmo with the intent of identifying potential security threats, and compliance issues, and providing operational insights. Furthermore, Resmo maintains a specific retention policy for audit logs according to organizational requirements and individual platform specifics, ensuring a holistic approach to enhancing visibility, ensuring compliance, and bolstering security.

How do you start monitoring your system activities on Resmo?

There’s no additional friction; if you already have one of the supported integrations set up on your Resmo account, you can directly head over to the Audit Logs page and see what’s happening across your organization.

Current List of Supported Integrations for Audit Logging

• Atlassian Access
• Azure Active Directory
• Cloudflare
• Google Workspace
• JumpCloud
• Microsoft 365
• Okta
• Opsgenie

Benefits of Audit Logging

Audit logging offers numerous benefits, especially when it comes to maintaining data integrity, ensuring regulatory compliance, and enhancing security. Here are some key advantages:

• Security Monitoring

Audit logs record activities across the system, providing visibility into user behavior, system processes, and potential security threats. This information helps identify unusual patterns or suspicious actions, allowing for prompt responses to potential security incidents.

• Compliance Assurance

Many industry standards and regulations require companies to maintain audit logs to demonstrate compliance. These logs serve as a record of activity, evidencing adherence to required security protocols and processes such as regulations like CIS, PCI DSS, and SOC 2, which affect a wide range of industries.

• Incident Response and Forensics

In case of a security incident, audit logs are invaluable for determining what happened, who was involved, and how the incident occurred. They provide detailed information, facilitating investigation and resolution of the incident.

• Accountability

With audit logging, each activity can be traced back to a particular user or process. This means increased accountability, as any changes made to data or system configurations are logged with the details of the individual or process responsible.

• Operational Efficiency

Audit logs can also be used to analyze system performance and identify areas for improvement. They offer insights into how resources are used and how processes are executed, supporting optimization efforts.

• Dispute Resolution

Audit logs serve as a reliable record of transactions and activities. They can be used to verify actions and resolve disputes regarding data access or modification, providing an objective reference point.

• System and Network Troubleshooting

By maintaining a comprehensive record of system operations, audit logs help in identifying and diagnosing network and system performance issues, facilitating faster troubleshooting and minimal downtime.

See the critical system activities across your organization

In an era of increasing cyber threats and stringent regulatory requirements, having an eagle-eye view on critical system activities across your organization is no longer optional, but a necessity. Audit logging serves this very purpose, providing detailed records of all system activities, making the invisible visible, and the complex understandable.

Ready to see it for yourself? Go ahead and give the audit logging feature a try on your Resmo account. Observe firsthand how you can monitor real-time activities, identify potential threats, and make informed, data-driven decisions.

Keep on reading:

• Best Cybersecurity Podcasts
• SaaS Security Statistics
• SaaS Risks and How to Avoid Them