# Audit Logs & Evidence Trails Audit logging is a foundational compliance requirement that enables traceability, incident investigation, and accountability. Sprinto monitors whether critical systems are configured to generate, retain, and protect audit logs. It also verifies the presence of evidence trails for high-risk actions and access events. This article explains how Sprinto evaluates audit log readiness, what platforms are covered, and how to resolve failing monitors related to audit logs and evidence trails. *** ### What is Monitored Sprinto tracks the following categories of audit and evidence logging: 1. **System Audit Logs** * Records of login activity, user changes, permission escalations * Events tracked in cloud platforms, IAM tools, and critical systems 2. **Configuration Change Logs** * Infrastructure policy changes (e.g., firewall rules, storage settings) * Admin changes, permission updates, and role assignments 3. **Evidence Trails for Compliance** * Screenshots, reports, or workflow data that support completed checks * Auto-collected or manually submitted by teams during reviews 4. **Log Integrity & Tamper-Proofing** * Validation settings for tools like AWS CloudTrail * Secure delivery and immutability of logs *** ### Platforms & Services Monitored
PlatformLogging Capability Monitored
AWSCloudTrail setup, log validation, storage config
AzureActivity logs, Diagnostic settings
Google CloudAudit logs via Cloud Audit Logging
GitHub/GitLabRepository changes, permission updates
OktaAuthentication events, group/app assignment changes
SprintoWorkflow evidence trails and check-level submissions
*** ### Key Monitors and How to Resolve #### 1. **AWS CloudTrail: Log-File Integrity Validation Should Be Enabled** * **What it checks**:\ Log validation is enabled to detect tampering with AWS CloudTrail logs * **How to resolve**: 1. Go to **CloudTrail > Trails** 2. Select your trail → Click **Edit** 3. Enable **Log file validation** 4. Ensure logs are being delivered to a versioned, encrypted S3 bucket *** #### 2. **Azure: Diagnostic Settings Should Be Enabled** * **What it checks**:\ Diagnostic logs are being collected for key services (e.g., NSGs, SQL, Storage) * **How to resolve**: 1. Navigate to a resource (e.g., NSG, Storage) 2. Go to **Monitoring > Diagnostic settings** 3. Enable **AuditLogs**, **Metrics**, and **AllLogs** 4. Route to Log Analytics or a storage account *** #### 3. **GCP: Cloud Audit Logs Must Be Active** * **What it checks**:\ Admin activity logs and data access logs are enabled for GCP resources * **How to resolve**: 1. Go to **IAM & Admin > Audit Logs** 2. Enable logging for each service under **Admin Read**, **Data Write**, and **Data Read** 3. Set retention and destination (Cloud Logging or Storage) *** #### 4. **Sprinto: Evidence Must Be Uploaded for Manual Checks** * **What it checks**:\ Evidence is present for manually scoped workflow checks or assessments * **How to resolve**: 1. Go to **Monitoring > Check History** 2. Locate failing check → Click **Upload Evidence** 3. Attach relevant files (e.g., screenshots, PDFs) 4. Click **Mark as Resolved** *** ### Best Practices * Enable logging for **all privileged actions** and high-risk systems * Store logs in **encrypted, write-once storage** (e.g., versioned S3 buckets) * Enforce **retention policies** per framework (e.g., SOC 2, ISO 27001) * Automate evidence collection where possible (e.g., Sprinto workflow integrations) * Audit logs quarterly for gaps or anomalies