When using cloud.gov, logs sent to standard out are automatically captured by logs.fr.cloud.gov. More info.

What to log

Things you are required to log:

  • Successful and unsuccessful account logon events
  • Account management events
  • Object access
    • Examples: reading database records or files on disk
  • Policy change
  • Privilege functions
  • Process tracking
  • System events
  • For Web applications:
    • All administrator activity
    • Authentication checks
    • Authorization checks
    • Data deletions
    • Data access
    • Data changes
    • Permission changes

This list comes from GSA’s AU-2a Parameter Requirement - see the “Audit and Accountability” doc on this page.

Do not log sensitive information.

Other notes

  • It’s important that the events are traceable back to the user that performed them (if possible), and when, so include things like:
    • The user ID
    • Timestamps, standardized in UTC
  • Make sure the right logging is done in production (outside of debug/development mode)
  • If not using cloud.gov, here are some things to think about:
    • Logs are captured to durable storage before rotation
    • Logs with sensitive data are only available to appropriate people
    • Logs can be browsed/drilled with low-latency (e.g. grepping not necessary)