Audit Logging for Identity Systems: What to Log, How to Store It, and Why It Matters
A practical guide to audit logging in identity management systems — compliance requirements, implementation patterns, and what events to capture.
Every identity system needs audit logging. Whether it's for compliance (SOC 2, HIPAA, GDPR), security incident response, or simply understanding how your system is being used — if you can't answer "who did what, when, and from where," you have a problem.
What to Log
At minimum, an identity platform should log these events:
Authentication Events
- Successful logins (with method: password, SSO, social)
- Failed login attempts (with reason: wrong password, account locked, MFA failed)
- Logout events
- Password changes and resets
- MFA enrollment and verification
Authorization Events
- Role assignments and revocations
- Permission changes
- API key creation and deletion
- OAuth token grants and revocations
Administrative Events
- User creation, modification, and deactivation
- Organization changes (settings, branding, plans)
- SSO configuration changes
- Security policy updates
Data Access Events
- User data exports
- Bulk operations (user imports, license assignments)
- Sensitive data access (viewing passwords, decrypting secrets)
The Immutability Requirement
Audit logs must be immutable. If an attacker compromises an admin account, the logs of their actions must be tamper-proof. This means:
- Append-only storage — No UPDATE or DELETE operations on audit records
- Server-side timestamps — Never trust client-provided timestamps
- Separate access controls — Even super admins shouldn't be able to modify logs
- Cryptographic integrity — Hash chains or signed entries prevent silent tampering
In Calimatic Identity, audit logs are stored in append-only database tables with server-generated timestamps. Logs cannot be modified or deleted through any API endpoint.
Retention Policies
How long should you keep logs? It depends on your compliance requirements:
- SOC 2: Typically 1 year minimum
- HIPAA: 6 years
- GDPR: As long as necessary for the stated purpose
- PCI DSS: 1 year, with 3 months immediately available
Calimatic Identity offers configurable retention by plan:
- Starter: 7 days
- Business: 90 days
- Enterprise: Unlimited retention with export
Making Logs Useful
Raw logs are only valuable if you can search and analyze them effectively. Key practices:
Structured Logging — Every log entry should include: timestamp, actor (user ID), action, resource, organization, IP address, user agent, and result (success/failure).
Correlation IDs — Tag related events with a request ID so you can trace a single user action across multiple log entries.
Real-Time Alerting — Set up alerts for suspicious patterns: multiple failed logins, privilege escalation, admin actions outside business hours, or access from unusual locations.
Regular Review — Compliance frameworks require periodic log review. Schedule weekly reviews of admin actions and monthly reviews of access patterns.
Export and Integration
For enterprise customers, audit logs need to flow into existing SIEM (Security Information and Event Management) systems. Calimatic Identity supports:
- CSV/JSON export — Download logs for any date range
- API access — Query logs programmatically for custom integrations
- Configurable retention — Set retention policies per organization
Audit logging isn't glamorous, but it's one of the most important features in any identity system. When a security incident occurs — and eventually, one will — your audit logs are the difference between a quick resolution and a prolonged investigation.