Audit Logs<\/strong> (also known as audit trails) are chronological records<\/strong> that detail all events and changes made to systems, applications, and data. These logs capture \u201cwho did what, when, and how<\/strong>,\u201d offering a vital mechanism for tracking user activity, diagnosing issues, and ensuring security and compliance in a system.<\/p>\n\n\n\n Audit logs support continuous monitoring and feedback<\/strong> across:<\/p>\n\n\n\n Create Edit config: Open Kibana at Audit logs are the backbone of observability and security<\/strong> in a DevSecOps workflow. They empower teams to operate with visibility, enforce governance, and maintain compliance. As automation grows, so does the need for tamper-proof, real-time logging<\/strong> systems that evolve with your pipeline.<\/p>\n\n\n\nHistory or Background<\/h3>\n\n\n\n
\n
Why Are Audit Logs Relevant in DevSecOps?<\/h3>\n\n\n\n
\n
\n\n\n\n\ud83e\udde9 Core Concepts & Terminology<\/h2>\n\n\n\n
Key Terms and Definitions<\/h3>\n\n\n\n
Term<\/th> Description<\/th><\/tr><\/thead> Event<\/strong><\/td> Any action taken in the system (e.g., login, file access, deployment).<\/td><\/tr> Actor<\/strong><\/td> The user\/service account initiating the action.<\/td><\/tr> Target<\/strong><\/td> The object affected (file, service, container, etc.).<\/td><\/tr> Timestamp<\/strong><\/td> When the event occurred.<\/td><\/tr> Immutable Logs<\/strong><\/td> Logs that are tamper-proof, typically stored in write-once systems.<\/td><\/tr> SIEM<\/strong><\/td> Security Information and Event Management tool aggregating log data.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n How It Fits into the DevSecOps Lifecycle<\/h3>\n\n\n\n
\n
\ud83c\udfd7\ufe0f Architecture & How It Works<\/h2>\n\n\n\n
Components of an Audit Logging System<\/h3>\n\n\n\n
\n
\n
\n
\n
\n
\n
\n
Internal Workflow<\/h3>\n\n\n\n
\n
kubectl delete pod<\/code>)<\/li>\n\n\n\nDiagram (Textual Description)<\/h3>\n\n\n\n
[Dev\/User Action]\n |\n [Audit Log Producer] --> [Log Collector (Fluentd\/Filebeat)] \n | |\n v v\n [Audit Log Store (S3\/Elastic)] --> [Analyzer (SIEM\/Kibana)]\n |\n v\n [Alerts & Compliance Reports]\n<\/code><\/pre>\n\n\n\nIntegration Points with CI\/CD or Cloud Tools<\/h3>\n\n\n\n
Tool<\/th> Integration Point<\/th><\/tr><\/thead> Jenkins<\/strong><\/td> Pipeline execution logs, plugin actions<\/td><\/tr> GitHub\/GitLab<\/strong><\/td> Repo push, merge, PRs, pipeline logs<\/td><\/tr> Kubernetes<\/strong><\/td> Audit logs for API server & pod lifecycle<\/td><\/tr> Terraform<\/strong><\/td> Plan\/apply logs, policy checks via OPA<\/td><\/tr> AWS CloudTrail<\/strong><\/td> Logs every AWS API call made<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\n\n\n\n\ud83d\ude80 Installation & Getting Started<\/h2>\n\n\n\n
Basic Setup or Prerequisites<\/h3>\n\n\n\n
\n
Hands-on: Beginner Setup with Filebeat + ELK Stack<\/h3>\n\n\n\n
\ud83d\udd39 Step 1: Install Docker<\/h4>\n\n\n\n
sudo apt update\nsudo apt install docker.io docker-compose -y\n<\/code><\/pre>\n\n\n\n\ud83d\udd39 Step 2: Start ELK Stack with Docker Compose<\/h4>\n\n\n\n
docker-compose.yml<\/code>:<\/p>\n\n\n\nversion: '3'\nservices:\n elasticsearch:\n image: docker.elastic.co\/elasticsearch\/elasticsearch:8.12.0\n environment:\n - discovery.type=single-node\n ports:\n - 9200:9200\n\n kibana:\n image: docker.elastic.co\/kibana\/kibana:8.12.0\n ports:\n - 5601:5601\n<\/code><\/pre>\n\n\n\ndocker-compose up -d\n<\/code><\/pre>\n\n\n\n\ud83d\udd39 Step 3: Install Filebeat<\/h4>\n\n\n\n
curl -L -O https:\/\/artifacts.elastic.co\/downloads\/beats\/filebeat\/filebeat-8.12.0-amd64.deb\nsudo dpkg -i filebeat-8.12.0-amd64.deb\n<\/code><\/pre>\n\n\n\n\/etc\/filebeat\/filebeat.yml<\/code><\/p>\n\n\n\noutput.elasticsearch:\n hosts: [\"localhost:9200\"]\n\nsetup.kibana:\n host: \"localhost:5601\"\n<\/code><\/pre>\n\n\n\n\ud83d\udd39 Step 4: Enable System Module<\/h4>\n\n\n\n
sudo filebeat modules enable system\nsudo filebeat setup\nsudo systemctl start filebeat\n<\/code><\/pre>\n\n\n\nhttp:\/\/localhost:5601<\/code>, navigate to \u201cDiscover\u201d to view logs.<\/p>\n\n\n\n
\n\n\n\n\ud83d\udd0d Real-World Use Cases<\/h2>\n\n\n\n
1. Code Change Tracking<\/strong><\/h3>\n\n\n\n
\n
2. Kubernetes Pod Deletion<\/strong><\/h3>\n\n\n\n
\n
kubectl delete pod<\/code> commands and the user behind it.<\/li>\n\n\n\n3. Terraform Apply Review<\/strong><\/h3>\n\n\n\n
\n
4. Cloud Access Review<\/strong><\/h3>\n\n\n\n
\n
\n\n\n\n\u2705 Benefits & Limitations<\/h2>\n\n\n\n
Key Benefits<\/h3>\n\n\n\n
\n
Limitations<\/h3>\n\n\n\n
Limitation<\/th> Description<\/th><\/tr><\/thead> Storage Cost<\/strong><\/td> High volume of logs requires archiving<\/td><\/tr> Noise<\/strong><\/td> Can generate too much irrelevant data<\/td><\/tr> Tampering Risk<\/strong><\/td> Without immutability, logs can be altered<\/td><\/tr> Latency in Analysis<\/strong><\/td> Real-time monitoring needs tuning<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\n\n\n\n\ud83d\udd10 Best Practices & Recommendations<\/h2>\n\n\n\n
Security Tips<\/h3>\n\n\n\n
\n
Performance & Maintenance<\/h3>\n\n\n\n
\n
Compliance & Automation<\/h3>\n\n\n\n
\n
\n\n\n\n\ud83d\udd04 Comparison with Alternatives<\/h2>\n\n\n\n
Feature \/ Tool<\/th> Audit Logs<\/th> SIEM (e.g., Splunk)<\/th> CloudTrail \/ Activity Logs<\/th><\/tr><\/thead> Real-time Events<\/td> \u2705<\/td> \u2705<\/td> \u26a0\ufe0f (some delay)<\/td><\/tr> Root-cause Analysis<\/td> \u2705<\/td> \u2705<\/td> \u2705<\/td><\/tr> Compliance<\/td> \u2705<\/td> \u2705<\/td> \u2705<\/td><\/tr> Cost Efficiency<\/td> \u26a0\ufe0f<\/td> \u274c (expensive)<\/td> \u2705 (included in cloud)<\/td><\/tr> Integration Ease<\/td> \u2705<\/td> \u2705<\/td> \u2705<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n When to Use Audit Logs Over Others?<\/h3>\n\n\n\n
\n
\n\n\n\n\ud83c\udfc1 Conclusion<\/h2>\n\n\n\n
Final Thoughts<\/h3>\n\n\n\n
Future Trends<\/h3>\n\n\n\n
\n
\ud83d\udcce Resources<\/h3>\n\n\n\n
\n