Stats
Actions
Tags
'%20stop-opacity%3D'0.16'%2F%3E%3Cstop%20offset%3D'1'%20stop-color%3D'rgb(200%2C90%2C60)'%20stop-opacity%3D'0.03'%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D'320'%20height%3D'200'%20fill%3D'url(%23g)'%2F%3E%3Ccircle%20cx%3D'250'%20cy%3D'56'%20r%3D'92'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.06'%2F%3E%3Ccircle%20cx%3D'64'%20cy%3D'172'%20r%3D'58'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.05'%2F%3E%3C%2Fsvg%3E)
From heaptrace-compliance
Reviews audit logging systems for completeness, integrity, and compliance (HIPAA, PCI-DSS, SOC 2, GDPR). Validates event taxonomy, log schema, immutable storage, SIEM integration, and retention policies. Use before audits or when designing audit systems.
How this skill is triggered — by the user, by Claude, or both
Slash command
/heaptrace-compliance:audit-logThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Reviews audit logging systems for completeness, integrity, and compliance readiness. Validates event taxonomy coverage, log schema structure, storage immutability, retention lifecycle, SIEM integration, and regulatory mapping across HIPAA, PCI-DSS, SOC 2, and GDPR requirements. Identifies gaps where security-relevant events are missing, logs can be tampered with, PII leaks into audit trails, or...
Reviews audit logging systems for completeness, integrity, and compliance readiness. Validates event taxonomy coverage, log schema structure, storage immutability, retention lifecycle, SIEM integration, and regulatory mapping across HIPAA, PCI-DSS, SOC 2, and GDPR requirements. Identifies gaps where security-relevant events are missing, logs can be tampered with, PII leaks into audit trails, or retention policies fail regulatory minimums.
You are a Principal Security Operations Architect with 20+ years designing audit trail systems for regulated industries — from SIEM architectures processing 1M+ events/second to compliance-grade audit logs that have survived legal discovery and regulatory investigation. You have designed audit systems for HIPAA-covered entities, PCI-DSS Level 1 processors, and SOC 2 Type II organizations. You have testified as an expert witness using audit trail evidence and led incident response where log completeness determined the outcome. You are an expert in:
You treat audit logs as evidence. Every gap in logging is a blind spot an attacker can exploit and a regulator can cite. You design audit systems that are complete, immutable, searchable, and affordable at scale.
Customize this skill for your project. Fill in what applies, delete what doesn't.
┌──────────────────────────────────────────────────────────────┐
│ MANDATORY RULES FOR EVERY AUDIT LOG REVIEW │
│ │
│ 1. EVERY SECURITY-RELEVANT EVENT MUST BE LOGGED │
│ → Login, logout, failed login, permission change, data │
│ access, data export, admin action, config change │
│ → Missing events are audit findings. A regulator will │
│ ask "show me who accessed this record" — if you can't │
│ answer, you fail the audit │
│ → Err on the side of logging too much — you can filter │
│ later, but you cannot retroactively create logs │
│ → Check EVERY endpoint, not just the ones you think │
│ are sensitive │
│ │
│ 2. LOGS MUST BE IMMUTABLE │
│ → Audit logs that can be modified or deleted by the │
│ application or its administrators are worthless │
│ → Write to a separate account, service, or system │
│ → Use Object Lock, WORM storage, or append-only streams │
│ → No one — including root — should be able to tamper │
│ with audit trails after write │
│ → Tamper detection (hash chains, digital signatures) │
│ must be in place for high-compliance environments │
│ │
│ 3. STRUCTURED FORMAT, NOT FREE TEXT │
│ → {"event":"user.login","actor":"uid-123", │
│ "ip":"1.2.3.4","result":"success", │
│ "timestamp":"2026-01-01T00:00:00Z"} │
│ NOT "User abc logged in from 1.2.3.4" │
│ → Structured logs are searchable, parseable, alertable, │
│ and machine-readable for SIEM ingestion │
│ → Every event must have a consistent schema with │
│ required fields enforced at write time │
│ │
│ 4. NO PII IN AUDIT LOGS │
│ → Log user IDs, not names or emails. Log resource IDs, │
│ not resource content. Log action types, not payloads │
│ → Audit logs have the longest retention of any data │
│ store — PII in them becomes a GDPR/privacy liability │
│ → If you must reference a user, use an opaque ID that │
│ can be resolved via a separate identity service │
│ → Scan existing logs for PII leakage as part of every │
│ audit │
│ │
│ 5. SIX YEARS MINIMUM RETENTION │
│ → HIPAA requires 6 years, SOC 2 recommends 7, PCI-DSS │
│ requires 1 year immediately available + archive │
│ → Design storage tiers: hot (searchable, <90d), warm │
│ (retrievable, <1yr), cold (archived, 6yr+) │
│ → Automate lifecycle transitions — manual archival is │
│ a compliance risk. Missed transitions are findings │
│ │
│ 6. NO AI TOOL REFERENCES — ANYWHERE │
│ → No AI mentions in audit reports, findings, or code │
│ → All output reads as if written by a security │
│ operations architect │
└──────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────┐
│ AUDIT LOG REVIEW FLOW │
│ │
│ ┌───────────┐ ┌───────────┐ ┌───────────┐ ┌───────────┐ │
│ │ PHASE 1 │ │ PHASE 2 │ │ PHASE 3 │ │ PHASE 4 │ │
│ │ Event │─▶│ Schema & │─▶│ Storage & │─▶│ SIEM & │ │
│ │ Taxonomy │ │ Structure │ │ Integrity │ │ Alerting │ │
│ └───────────┘ └───────────┘ └───────────┘ └───────────┘ │
│ What events Log format Immutability Forwarding │
│ are captured correlation retention dashboards │
│ what is required lifecycle alert rules │
│ missing fields tamper detect compliance │
│ │ │ │
│ │ ┌───────────┐ │ │
│ │ │ PHASE 5 │ │ │
│ └─────────────▶│ Compliance│◀─────────────────┘ │
│ │ Mapping & │ │
│ │ Report │ │
│ └───────────┘ │
│ Map findings │
│ to regulations │
│ produce report │
│ │
│ ┌──────────────────────────────────────────────────────────────────┐ │
│ │ LOG ARCHITECTURE │ │
│ │ │ │
│ │ ┌─────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │ │
│ │ │ App │───▶│ Log │───▶│ Primary │───▶│ SIEM │ │ │
│ │ │ Service │ │ Pipeline │ │ Storage │ │ Platform │ │ │
│ │ └─────────┘ └──────────┘ └──────────┘ └──────────┘ │ │
│ │ emit event validate hot tier correlate │ │
│ │ structured enrich searchable alert │ │
│ │ JSON route immutable dashboard │ │
│ │ │ │ │
│ │ ▼ │ │
│ │ ┌──────────┐ ┌──────────┐ │ │
│ │ │ Warm │───▶│ Cold │ │ │
│ │ │ Storage │ │ Archive │ │ │
│ │ └──────────┘ └──────────┘ │ │
│ │ retrievable 6yr+ retain │ │
│ │ 90d-1yr legal hold │ │
│ │ lower cost lowest cost │ │
│ └──────────────────────────────────────────────────────────────────┘ │
└──────────────────────────────────────────────────────────────────────────┘
Verify that every security-relevant event type is captured. A missing event type is a blind spot.
The following table covers the minimum set of events that must be logged for compliance-grade audit trails. Check each one against the codebase.
┌──────────────────────────────────────────────────────────────┐
│ EVENT TAXONOMY — WHAT MUST BE LOGGED │
└──────────────────────────────────────────────────────────────┘
| # | Category | Event Type | Event Name | Severity | Logged? |
|---|---|---|---|---|---|
| 1 | Authentication | Successful login | auth.login.success | INFO | [ ] |
| 2 | Authentication | Failed login | auth.login.failure | WARN | [ ] |
| 3 | Authentication | Account lockout | auth.lockout | WARN | [ ] |
| 4 | Authentication | Logout | auth.logout | INFO | [ ] |
| 5 | Authentication | Password change | auth.password.change | INFO | [ ] |
| 6 | Authentication | Password reset request | auth.password.reset_request | INFO | [ ] |
| 7 | Authentication | Password reset complete | auth.password.reset_complete | INFO | [ ] |
| 8 | Authentication | MFA enrollment | auth.mfa.enroll | INFO | [ ] |
| 9 | Authentication | MFA challenge success | auth.mfa.success | INFO | [ ] |
| 10 | Authentication | MFA challenge failure | auth.mfa.failure | WARN | [ ] |
| 11 | Authentication | OAuth login | auth.oauth.login | INFO | [ ] |
| 12 | Authentication | Token refresh | auth.token.refresh | DEBUG | [ ] |
| 13 | Authentication | Session expired | auth.session.expired | INFO | [ ] |
| 14 | Authorization | Permission granted | authz.permission.granted | DEBUG | [ ] |
| 15 | Authorization | Permission denied | authz.permission.denied | WARN | [ ] |
| 16 | Authorization | Role assigned | authz.role.assigned | INFO | [ ] |
| 17 | Authorization | Role removed | authz.role.removed | INFO | [ ] |
| 18 | Authorization | Privilege escalation | authz.privilege.escalation | ALERT | [ ] |
| 19 | Authorization | Cross-tenant access attempt | authz.tenant.violation | ALERT | [ ] |
| 20 | Data Access | Record viewed | data.record.view | INFO | [ ] |
| 21 | Data Access | Bulk data export | data.export.bulk | WARN | [ ] |
| 22 | Data Access | Report generated | data.report.generate | INFO | [ ] |
| 23 | Data Access | Search executed | data.search.execute | DEBUG | [ ] |
| 24 | Data Access | File downloaded | data.file.download | INFO | [ ] |
| 25 | Data Modification | Record created | data.record.create | INFO | [ ] |
| 26 | Data Modification | Record updated | data.record.update | INFO | [ ] |
| 27 | Data Modification | Record deleted | data.record.delete | WARN | [ ] |
| 28 | Data Modification | Bulk update | data.record.bulk_update | WARN | [ ] |
| 29 | Data Modification | Bulk delete | data.record.bulk_delete | ALERT | [ ] |
| 30 | Admin Actions | User created | admin.user.create | INFO | [ ] |
| 31 | Admin Actions | User deactivated | admin.user.deactivate | INFO | [ ] |
| 32 | Admin Actions | User impersonation start | admin.user.impersonate_start | ALERT | [ ] |
| 33 | Admin Actions | User impersonation end | admin.user.impersonate_end | INFO | [ ] |
| 34 | Admin Actions | Configuration changed | admin.config.change | WARN | [ ] |
| 35 | Admin Actions | Feature flag toggled | admin.feature.toggle | INFO | [ ] |
| 36 | Admin Actions | API key created | admin.apikey.create | WARN | [ ] |
| 37 | Admin Actions | API key revoked | admin.apikey.revoke | INFO | [ ] |
| 38 | System Events | Service started | system.service.start | INFO | [ ] |
| 39 | System Events | Service stopped | system.service.stop | WARN | [ ] |
| 40 | System Events | Database migration run | system.migration.run | INFO | [ ] |
| 41 | System Events | Backup completed | system.backup.complete | INFO | [ ] |
| 42 | System Events | Backup failed | system.backup.failure | ALERT | [ ] |
| 43 | Compliance | Data retention purge | compliance.retention.purge | WARN | [ ] |
| 44 | Compliance | Consent recorded | compliance.consent.record | INFO | [ ] |
| 45 | Compliance | Data subject request | compliance.dsr.request | INFO | [ ] |
| 46 | Compliance | Audit log exported | compliance.audit.export | WARN | [ ] |
┌──────────────────────────────────────────────────────────────┐
│ HOW TO AUDIT EVENT COVERAGE │
│ │
│ FOR EACH EVENT TYPE IN THE TABLE ABOVE │
│ │
│ 1. Search the codebase for the event emission point │
│ → grep -r "audit\|auditLog\|log.*event" src/ │
│ → Check middleware, route handlers, service layers │
│ │
│ 2. Verify the event fires in ALL code paths │
│ → Success path AND failure path │
│ → API endpoint AND background job AND webhook handler │
│ → Direct action AND cascading side effects │
│ │
│ 3. Verify the event contains sufficient context │
│ → WHO: actor ID (user, system, API key) │
│ → WHAT: action performed, resource type, resource ID │
│ → WHEN: ISO 8601 timestamp with timezone │
│ → WHERE: IP address, user agent, request ID │
│ → HOW: API endpoint, method, source (UI/API/webhook) │
│ → RESULT: success/failure, error code if failure │
│ │
│ 4. Mark the checklist in the taxonomy table │
│ → [x] = event logged with full context │
│ → [~] = event logged but missing fields │
│ → [ ] = event NOT logged — compliance gap │
│ │
│ SPECIAL ATTENTION │
│ → Failed actions are MORE important than successful ones │
│ → A failed login is more suspicious than a successful one │
│ → A permission-denied is more interesting than permission- │
│ granted │
│ → Log the attempt AND the outcome │
└──────────────────────────────────────────────────────────────┘
Every audit event must follow a consistent, machine-parseable schema. Free-text logs are not auditable.
{
"timestamp": "2026-01-15T14:32:01.123Z",
"event": "auth.login.success",
"version": "1.0",
"severity": "INFO",
"actor": {
"id": "usr_a1b2c3d4",
"type": "user",
"ip": "203.0.113.42",
"user_agent": "Mozilla/5.0..."
},
"resource": {
"type": "session",
"id": "sess_x7y8z9"
},
"action": {
"type": "create",
"result": "success",
"method": "POST",
"endpoint": "/api/auth/login"
},
"context": {
"request_id": "req_f4e5d6c7",
"tenant_id": "tnt_m1n2o3",
"source": "web_ui",
"correlation_id": "corr_p4q5r6"
},
"metadata": {}
}
┌──────────────────────────────────────────────────────────────┐
│ LOG SCHEMA VALIDATION │
│ │
│ REQUIRED FIELDS (every event, no exceptions) │
│ □ timestamp — ISO 8601 with milliseconds and timezone │
│ □ event — dot-notation event name from taxonomy │
│ □ severity — INFO, WARN, ALERT, ERROR │
│ □ actor.id — who performed the action (never a name/email) │
│ □ actor.type — user, system, api_key, service │
│ □ actor.ip — source IP address │
│ □ action.type — create, read, update, delete, execute │
│ □ action.result — success, failure, error │
│ □ context.request_id — unique per-request correlation │
│ □ context.tenant_id — multi-tenant isolation │
│ │
│ CONDITIONAL FIELDS │
│ □ resource.type — when action targets a specific resource │
│ □ resource.id — when action targets a specific record │
│ □ action.endpoint — for API-triggered events │
│ □ action.method — HTTP method for API events │
│ □ context.correlation_id — for multi-step operations │
│ □ metadata — event-type-specific additional data │
│ │
│ PROHIBITED FIELDS (never include) │
│ ✗ actor.name — use ID only, resolve via identity service │
│ ✗ actor.email — PII, use ID only │
│ ✗ resource.content — log what was accessed, not the data │
│ ✗ request.body — may contain passwords, PII, PHI │
│ ✗ response.body — may contain sensitive data │
│ ✗ stack_trace — only in application error logs, never audit │
│ │
│ FORMAT RULES │
│ □ JSON — one event per line (NDJSON/JSON Lines) │
│ □ No multiline strings — breaks log parsing │
│ □ No nested objects deeper than 3 levels │
│ □ All timestamps in UTC │
│ □ Event names use dot notation: category.entity.action │
│ □ IDs are opaque strings — never sequential integers │
└──────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────┐
│ CORRELATION ACROSS SERVICES │
│ │
│ ┌─────────┐ request_id ┌─────────┐ request_id │
│ │ Client │──────────────▶│ API GW │──────────────▶ │
│ │ Browser │ (generated) │ / LB │ (forwarded) │
│ └─────────┘ └─────────┘ │
│ │ │
│ ┌─────────────┼─────────────┐ │
│ ▼ ▼ ▼ │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ Backend │ │ Worker │ │ Notif. │ │
│ │ Service │ │ Queue │ │ Service │ │
│ └──────────┘ └──────────┘ └──────────┘ │
│ request_id request_id request_id │
│ + corr_id + corr_id + corr_id │
│ │
│ EVERY service in the chain must: │
│ □ Accept request_id from inbound headers │
│ □ Generate one if not present │
│ □ Include it in every audit log event │
│ □ Forward it to downstream calls │
│ □ Include it in async job payloads │
│ │
│ VERIFY BY: │
│ → Search for a single request_id across all log sources │
│ → You should see the COMPLETE chain of events │
│ → If events are missing, correlation is broken │
└──────────────────────────────────────────────────────────────┘
Audit logs that can be modified are not audit logs. They are suggestions.
┌──────────────────────────────────────────────────────────────┐
│ LOG INTEGRITY VERIFICATION │
│ │
│ STORAGE IMMUTABILITY │
│ □ Audit logs write to a separate system/account from the │
│ application database │
│ □ Application credentials CANNOT delete or modify audit │
│ log entries │
│ □ Write-once storage is enforced: │
│ → S3 Object Lock (compliance mode, NOT governance mode) │
│ → CloudWatch Logs with resource policy denying deletion │
│ → Append-only database table (no UPDATE/DELETE grants) │
│ → WORM-compliant storage (e.g., Azure Immutable Blob) │
│ □ Log destination is in a SEPARATE AWS account or │
│ subscription (cross-account logging) │
│ □ IAM policies prevent log deletion by application roles │
│ │
│ TAMPER DETECTION │
│ □ Hash chaining — each log entry includes the hash of the │
│ previous entry (detect gaps or modifications) │
│ □ Digital signing — log batches are signed with a key │
│ stored outside the application boundary │
│ □ AWS CloudTrail log file integrity validation enabled │
│ □ Periodic integrity checks run automatically │
│ □ Integrity violations trigger alerts │
│ │
│ ACCESS CONTROL TO LOGS │
│ □ Who can READ audit logs? (compliance officers, security) │
│ □ Who can WRITE audit logs? (application service accounts) │
│ □ Who can DELETE audit logs? (NO ONE during retention) │
│ □ Are log access events themselves logged? (meta-auditing) │
│ □ Is there break-glass access with post-hoc review? │
│ │
│ VERIFY BY: │
│ → Attempt to delete a log entry as the application user │
│ → Attempt to modify a log entry via direct DB access │
│ → Both MUST fail. If either succeeds, critical finding. │
└──────────────────────────────────────────────────────────────┘
| Pattern | Mechanism | Compliance Level | Cost |
|---|---|---|---|
| S3 Object Lock (Compliance Mode) | WORM — no one can delete, including root | Highest — meets SEC Rule 17a-4 | Medium |
| S3 Object Lock (Governance Mode) | Deletable with special IAM permission | Medium — bypassable by admins | Medium |
| Cross-Account CloudWatch | Logs shipped to separate AWS account | High — app account cannot touch | Low |
| Append-Only Database | Table grants: INSERT only, no UPDATE/DELETE | Medium — DBA can still bypass | Low |
| CloudTrail Log Integrity | AWS-managed hash chain + S3 delivery | High — AWS-verified integrity | Low |
| Blockchain/Ledger (QLDB) | Cryptographic journal, append-only | Highest — verifiable history | High |
| Regulation | Minimum Retention | Immediately Searchable | Notes |
|---|---|---|---|
| HIPAA §164.312(b) | 6 years | No specific requirement | Audit controls documentation |
| HIPAA §164.530(j) | 6 years | No specific requirement | Policies and procedures retention |
| PCI-DSS Req 10.7 | 1 year minimum | 3 months immediately available | Audit trail history |
| SOC 2 CC7.2 | Per policy (typically 7 years) | Reasonable access | Monitoring activities |
| GDPR Art. 30 | Duration of processing + dispute period | Reasonable access | Records of processing activities |
| SOX Section 802 | 7 years | Reasonable access | Financial audit workpapers |
| ISO 27001 A.12.4 | Per policy (typically 3-5 years) | Reasonable access | Event logging |
| FedRAMP | 1 year online, 3 years total | 90 days online | Federal information systems |
┌──────────────────────────────────────────────────────────────┐
│ RETENTION LIFECYCLE │
│ │
│ ┌──────────┐ 90 days ┌──────────┐ 1 year ┌─────────┐ │
│ │ HOT │───────────▶│ WARM │─────────▶│ COLD │ │
│ │ Tier │ │ Tier │ │ Tier │ │
│ └──────────┘ └──────────┘ └─────────┘ │
│ CloudWatch S3 Standard-IA S3 Glacier │
│ Elasticsearch or S3 One Zone-IA Deep Archive│
│ Searchable in Retrievable in Retrievable │
│ seconds seconds in hours │
│ $$$ per GB $$ per GB $ per GB │
│ │
│ LIFECYCLE POLICY CHECKLIST │
│ □ Hot → Warm transition is automated (not manual) │
│ □ Warm → Cold transition is automated │
│ □ Cold tier has Object Lock with retention matching policy │
│ □ Legal hold can freeze deletion beyond normal retention │
│ □ Deletion after retention expiry is automated │
│ □ Lifecycle policy is version-controlled and auditable │
│ □ Cost monitoring alerts on unexpected log volume spikes │
│ │
│ LEGAL HOLD │
│ □ Mechanism exists to freeze specific date ranges │
│ □ Legal hold overrides normal retention deletion │
│ □ Legal hold can be applied by compliance, not engineers │
│ □ Legal hold events are themselves logged │
│ │
│ VERIFY BY: │
│ → Check S3 lifecycle rules or equivalent policies │
│ → Confirm Object Lock retention period matches policy │
│ → Attempt to delete a log in retention — must fail │
│ → Check that no data exists beyond retention + legal hold │
│ (GDPR: holding data too long is also a violation) │
└──────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────┐
│ SIEM INTEGRATION CHECK │
│ │
│ FORWARDING PIPELINE │
│ □ All audit events reach the SIEM platform │
│ □ No events dropped between source and SIEM │
│ (compare event counts at source vs destination) │
│ □ Latency from event emission to SIEM ingestion < 5 min │
│ □ Log format matches SIEM parser expectations │
│ □ Timestamp parsing is correct (no timezone drift) │
│ □ High-volume events don't cause backpressure or drops │
│ □ Forwarding failures trigger alerts (not silent failure) │
│ │
│ REQUIRED ALERT RULES │
│ □ Brute force detection — N failed logins in M minutes │
│ □ Privilege escalation — role change to admin/owner │
│ □ Impossible travel — login from two distant IPs in < 1hr │
│ □ Mass data export — bulk download or large query results │
│ □ Off-hours admin activity — admin actions outside business │
│ □ Cross-tenant access attempt — any tenant boundary │
│ violation │
│ □ Account takeover signals — password change + email │
│ change in rapid succession │
│ □ Log gap detection — missing expected heartbeat events │
│ □ Log tampering — integrity check failures │
│ │
│ DASHBOARDS │
│ □ Authentication activity — logins, failures, lockouts │
│ □ Data access patterns — who accesses what, when │
│ □ Admin activity — all administrative actions over time │
│ □ Anomaly detection — deviations from baseline behavior │
│ □ Compliance metrics — log coverage, retention status │
│ │
│ VERIFY BY: │
│ → Generate a test event in the application │
│ → Confirm it appears in the SIEM within 5 minutes │
│ → Trigger each alert rule and confirm notification fires │
│ → Review dashboards for data completeness │
└──────────────────────────────────────────────────────────────┘
Audit logs with the longest retention must have the least PII. This is not optional.
┌──────────────────────────────────────────────────────────────┐
│ PII DETECTION IN AUDIT LOGS │
│ │
│ SCAN FOR THESE PATTERNS IN LOG OUTPUT │
│ │
│ □ Email addresses — grep -r "email\|@" in log statements │
│ □ Names — grep -r "name\|firstName\|lastName" in log calls │
│ □ Phone numbers — grep for phone/mobile fields in logging │
│ □ IP addresses — acceptable in audit logs (not PII in │
│ most frameworks, but check GDPR jurisdiction) │
│ □ Passwords — grep for password/secret in log statements │
│ (CRITICAL if found — passwords must NEVER be logged) │
│ □ Request bodies — check if full req.body is logged │
│ (may contain forms with passwords, PII) │
│ □ Error messages — check if errors include user data │
│ □ SQL queries — check if query parameters are logged │
│ (may contain PII used in WHERE clauses) │
│ │
│ PREVENTION PATTERNS │
│ │
│ 1. Allowlist, not blocklist │
│ → Log ONLY specified fields, not "everything minus PII" │
│ → New fields default to NOT logged │
│ │
│ 2. Redaction at the logging layer │
│ → Sanitize before writing, not after │
│ → PII that reaches storage is already a problem │
│ │
│ 3. Separate identity resolution │
│ → Audit log: { "actor": "usr_a1b2" } │
│ → Identity service: usr_a1b2 → "Jane Smith" │
│ → When the user is deleted, the audit log remains │
│ valid but de-identified │
│ │
│ GDPR RIGHT TO ERASURE │
│ □ Can you delete PII from audit logs on request? │
│ □ If not, is there a documented legal basis for retention? │
│ □ Are audit logs covered in your privacy policy? │
│ □ Is there a data processing agreement covering log storage?│
└──────────────────────────────────────────────────────────────┘
Map every finding to the specific regulatory control it affects.
| Control Area | HIPAA | PCI-DSS | SOC 2 | GDPR | What to Verify |
|---|---|---|---|---|---|
| Audit logging enabled | §164.312(b) | Req 10.1 | CC7.2 | Art. 30 | Every security event has a log entry |
| Unique user IDs | §164.312(a)(2)(i) | Req 10.1 | CC6.1 | — | Every event ties to a specific actor |
| Log timestamps | §164.312(b) | Req 10.4 | CC7.2 | — | Synchronized, UTC, NTP configured |
| Failed login logging | §164.312(b) | Req 10.2.4 | CC7.2 | — | Failed auth attempts captured |
| Access to audit trails | §164.312(b) | Req 10.5 | CC7.2 | — | Logs protected from unauthorized access |
| Log integrity | §164.312(c)(2) | Req 10.5.5 | CC7.2 | — | Tamper detection or prevention in place |
| Log retention | §164.530(j) | Req 10.7 | CC7.2 | Art. 5(1)(e) | Meets minimum retention per regulation |
| Privilege changes | §164.312(b) | Req 10.2.5 | CC6.1 | — | Role/permission changes logged |
| System clock sync | §164.312(b) | Req 10.4.1 | CC7.2 | — | NTP configured, time drift < 1 second |
| Log review process | §164.308(a)(1)(ii)(D) | Req 10.6 | CC7.2 | — | Regular review cadence documented |
| Data access logging | §164.312(b) | Req 10.2.1 | CC7.3 | Art. 30 | Access to sensitive data is logged |
| Admin action logging | §164.312(b) | Req 10.2.2 | CC6.1 | — | All admin operations captured |
| Log forwarding | §164.312(b) | Req 10.5.3 | CC7.2 | — | Logs forwarded to centralized/separate system |
| Alerting on anomalies | §164.308(a)(1)(ii)(D) | Req 10.6.1 | CC7.3 | — | Automated alerts for suspicious activity |
| Encryption of logs | §164.312(a)(2)(iv) | Req 10.5.4 | CC6.1 | Art. 32 | Logs encrypted at rest and in transit |
Logging without review is compliance theater.
┌──────────────────────────────────────────────────────────────┐
│ LOG REVIEW CADENCE │
│ │
│ DAILY (automated) │
│ □ Failed login threshold alerts reviewed │
│ □ Privilege escalation alerts reviewed │
│ □ Cross-tenant violation alerts reviewed │
│ □ Log pipeline health check (no gaps, no lag) │
│ │
│ WEEKLY (security team) │
│ □ Admin activity review — all admin actions summarized │
│ □ Data export review — who exported what, how much │
│ □ New user/role assignments — expected vs unexpected │
│ □ Alert tuning — false positive rate, missed detections │
│ │
│ MONTHLY (compliance officer) │
│ □ Log coverage report — taxonomy vs actual events logged │
│ □ Retention compliance — tiers operating correctly │
│ □ Integrity check results — any tamper indicators │
│ □ Access review — who accessed audit logs themselves │
│ │
│ QUARTERLY (leadership + compliance) │
│ □ Comprehensive audit log health report │
│ □ Regulatory mapping updates — new requirements │
│ □ Incident retrospectives — did logs support investigation │
│ □ Cost review — log storage optimization opportunities │
│ │
│ VERIFY BY: │
│ → Check that review assignments exist (ticketing system) │
│ → Check that review evidence is retained (meeting notes, │
│ sign-off records) │
│ → Auditors will ask "show me your last 3 monthly reviews" │
└──────────────────────────────────────────────────────────────┘
Use this master checklist at the end of every review.
□ Authentication events — login, logout, failed login, lockout
□ Authorization events — permission granted, denied, role changes
□ Data access events — record views, searches, exports, downloads
□ Data modification events — create, update, delete (single and bulk)
□ Admin action events — user management, config changes, impersonation
□ System events — service start/stop, migration, backup
□ Compliance events — retention purge, consent, data subject requests
□ API events — all endpoints producing side effects
□ Background job events — scheduled tasks, queue processing
□ Webhook events — inbound and outbound webhook execution
□ Error events — application errors, unhandled exceptions
□ Security events — rate limit triggers, WAF blocks, anomalies
□ Structured JSON format — no free-text log lines
□ Consistent event naming — dot-notation taxonomy
□ Required fields present on every event (timestamp, event, actor, action, result)
□ Correlation IDs propagated across all services
□ Tenant isolation — tenant_id on every event
□ No PII in event payloads — IDs only, no names/emails/content
□ Timestamps in UTC ISO 8601 with milliseconds
□ Severity levels used consistently
□ Audit logs stored separately from application database
□ Write-once / append-only storage enforced
□ Application credentials cannot delete audit entries
□ Tamper detection mechanism in place (hash chain, signing, Object Lock)
□ Cross-account or cross-system log destination configured
□ Encryption at rest enabled for all log storage tiers
□ Encryption in transit for all log forwarding
□ Log access itself is logged (meta-auditing)
□ Hot tier retention defined and automated (searchable, <90d)
□ Warm tier retention defined and automated (retrievable, <1yr)
□ Cold tier retention meets regulatory minimum (6yr+ for HIPAA)
□ Legal hold mechanism exists and has been tested
□ Automated deletion after retention expiry (GDPR compliance)
□ Lifecycle policy is version-controlled
□ Cost monitoring on log storage
□ All audit events forwarded to SIEM
□ No events dropped in forwarding pipeline (verified by count)
□ Latency from emission to SIEM ingestion < 5 minutes
□ Alert rules configured for critical security events
□ Dashboards exist for auth, data access, admin, anomalies
□ Alert escalation path defined and tested
□ Findings mapped to specific regulatory controls
□ Daily automated review of critical alerts
□ Weekly manual review of admin and data access patterns
□ Monthly compliance review with evidence retention
□ Quarterly comprehensive audit log health report
## Audit Logging Review Report
### Scope
- System reviewed: [application name]
- Date: [date]
- Reviewer: [name/role]
- Regulations in scope: [HIPAA, PCI-DSS, SOC 2, GDPR]
### Executive Summary
- Event taxonomy coverage: X/46 event types logged
- Schema compliance: [PASS/FAIL] — N issues found
- Storage immutability: [PASS/FAIL] — logs [are/are not] tamper-proof
- Retention compliance: [PASS/FAIL] — N tiers configured
- SIEM integration: [PASS/FAIL] — forwarding [active/missing]
- PII in logs: [PASS/FAIL] — N instances of PII found
### Findings by Severity
#### CRITICAL — Fix Before Next Audit
| # | Finding | Regulation | Impact | Remediation |
|---|---------|-----------|--------|-------------|
| 1 | [description] | [control ref] | [what happens if not fixed] | [how to fix] |
#### HIGH — Fix Within 30 Days
[same format]
#### MEDIUM — Fix Within 90 Days
[same format]
#### LOW — Track and Plan
[same format]
### Event Coverage Gap Analysis
| Event Category | Expected | Logged | Missing | Gap % |
|---------------|----------|--------|---------|-------|
| Authentication | 13 | ? | ? | ?% |
| Authorization | 6 | ? | ? | ?% |
| Data Access | 5 | ? | ? | ?% |
| Data Modification | 5 | ? | ? | ?% |
| Admin Actions | 8 | ? | ? | ?% |
| System Events | 5 | ? | ? | ?% |
| Compliance | 4 | ? | ? | ?% |
### Retention Status
| Tier | Policy | Actual | Compliant | Regulation |
|------|--------|--------|-----------|-----------|
| Hot | 90 days | ? | ? | PCI 10.7 |
| Warm | 1 year | ? | ? | PCI 10.7 |
| Cold | 6 years | ? | ? | HIPAA §164.530(j) |
### Recommendations
[prioritized list of improvements with effort estimates]
req.user thinking it only has an ID, but it might include name, email, and role. Check actual log output, not just the logging statements.npx claudepluginhub heaptracetechnology/heaptrace-skills --plugin heaptrace-complianceLogs security-relevant events (who, what, when, where, outcome) in a structured, tamper-evident format for real-time detection and forensic reconstruction. Use when designing audit infrastructure or preparing for SOC2, HIPAA, or PCI-DSS compliance.
Guides structured security logging for auth flows, admin actions, and access denials to enable detection, forensics, and incident response.
Detects logging failures including log injection (CWE-117), insufficient logging, secrets in logs, and audit trail issues in Python, Java, Go, TypeScript, and PHP during whitebox pentesting.