search
Sprinto DashboardAPI Reference

Audit Logs & Evidence Trails

Ensure audit logs and compliance evidence are securely collected, validated, and retained across AWS, Azure, GCP, and Sprinto to meet audit readiness and monitoring requirements.

Audit logging is a foundational compliance requirement that enables traceability, incident investigation, and accountability. Sprinto monitors whether critical systems are configured to generate, retain, and protect audit logs. It also verifies the presence of evidence trails for high-risk actions and access events.

This article explains how Sprinto evaluates audit log readiness, what platforms are covered, and how to resolve failing monitors related to audit logs and evidence trails.

hashtag
What is Monitored

Sprinto tracks the following categories of audit and evidence logging:

  1. System Audit Logs

    • Records of login activity, user changes, permission escalations

    • Events tracked in cloud platforms, IAM tools, and critical systems

  2. Configuration Change Logs

    • Infrastructure policy changes (e.g., firewall rules, storage settings)

    • Admin changes, permission updates, and role assignments

  3. Evidence Trails for Compliance

    • Screenshots, reports, or workflow data that support completed checks

    • Auto-collected or manually submitted by teams during reviews

  4. Log Integrity & Tamper-Proofing

    • Validation settings for tools like AWS CloudTrail

    • Secure delivery and immutability of logs

hashtag
Platforms & Services Monitored

Platform
Logging Capability Monitored

AWS

CloudTrail setup, log validation, storage config

Azure

Activity logs, Diagnostic settings

Google Cloud

Audit logs via Cloud Audit Logging

GitHub/GitLab

Repository changes, permission updates

Okta

Authentication events, group/app assignment changes

Sprinto

Workflow evidence trails and check-level submissions

hashtag
Key Monitors and How to Resolve

hashtag
1. AWS CloudTrail: Log-File Integrity Validation Should Be Enabled

  • What it checks: Log validation is enabled to detect tampering with AWS CloudTrail logs

  • How to resolve:

    1. Go to CloudTrail > Trails

    2. Select your trail → Click Edit

    3. Enable Log file validation

    4. Ensure logs are being delivered to a versioned, encrypted S3 bucket

hashtag
2. Azure: Diagnostic Settings Should Be Enabled

  • What it checks: Diagnostic logs are being collected for key services (e.g., NSGs, SQL, Storage)

  • How to resolve:

    1. Navigate to a resource (e.g., NSG, Storage)

    2. Go to Monitoring > Diagnostic settings

    3. Enable AuditLogs, Metrics, and AllLogs

    4. Route to Log Analytics or a storage account

hashtag
3. GCP: Cloud Audit Logs Must Be Active

  • What it checks: Admin activity logs and data access logs are enabled for GCP resources

  • How to resolve:

    1. Go to IAM & Admin > Audit Logs

    2. Enable logging for each service under Admin Read, Data Write, and Data Read

    3. Set retention and destination (Cloud Logging or Storage)

hashtag
4. Sprinto: Evidence Must Be Uploaded for Manual Checks

  • What it checks: Evidence is present for manually scoped workflow checks or assessments

  • How to resolve:

    1. Go to Monitoring > Check History

    2. Locate failing check → Click Upload Evidence

    3. Attach relevant files (e.g., screenshots, PDFs)

    4. Click Mark as Resolved

hashtag
Best Practices

  • Enable logging for all privileged actions and high-risk systems

  • Store logs in encrypted, write-once storage (e.g., versioned S3 buckets)

  • Enforce retention policies per framework (e.g., SOC 2, ISO 27001)

  • Automate evidence collection where possible (e.g., Sprinto workflow integrations)

  • Audit logs quarterly for gaps or anomalies

PreviousResolve Sprinto Check To Ensure GCP Cloud SQL Connections Uses SSLNextHow to resolve Sprinto check for enabling AWS CloudTrail

Last updated