What is Audit Log?

Audit logs answer the fundamental questions of security investigation: who did what, to which resource, when, and from where. They record events like user logins, data access, permission changes, API calls, administrative actions, and failed authentication attempts. In a security incident, audit logs are often the primary source of evidence for understanding the scope of a breach and the attacker's actions.

Effective audit logging requires several properties: completeness (all security-relevant events are captured), immutability (logs cannot be altered or deleted by the actors being audited), timestamps from a reliable source, sufficient detail (including the identity, action, target resource, and outcome), and secure storage separate from the systems being monitored. Many compliance frameworks — SOC 2, HIPAA, PCI-DSS, GDPR — mandate specific audit logging requirements.

The challenge with audit logs is balancing thoroughness with privacy and storage. Logging too little leaves gaps in forensic capability. Logging too much can create privacy concerns (especially with GDPR's data minimization principle), generate enormous storage costs, and paradoxically make it harder to find relevant events in the noise. Organizations must define what constitutes a security-relevant event and ensure those events are captured without over-collecting sensitive data.

How Vaulted uses Audit Log

Vaulted's zero-knowledge architecture places deliberate limits on what can be audited. The server logs operational metadata — such as secret creation timestamps, view counts, and expiration events — but never logs encrypted content or encryption keys, because it never possesses them. This approach aligns with data minimization principles: the audit trail captures enough to monitor system health and detect abuse patterns, without creating a record that could expose sensitive data if the logs themselves were compromised.