Greetings Sexperts.... (Sec+experts) 😉
Wanted your 2 cents about this topic. Essentially I'd like to gain more clarity on what is the difference of audit trail and logging in the context of an application/system. Is it the same and is the generation of audit trail possible without the gathering of logs? Is the difference related to the events recorded (audit trail referring to activity and logging referring to who when what...) - share your thoughts pls.
An audit trail is a specialized form of logging with a very specific goal, from NIST:
"Audit trails maintain a record of system activity both by system and
application processes and by user activity of systems and applications. In
conjunction with appropriate tools and procedures, audit trails can assist
in detecting security violations, performance problems, and flaws in
applications. This bulletin focuses on audit trails as a technical control
and discusses the benefits and objectives of audit trails, the types of
audit trails, and some common implementation issues."
Nice read vds, - thank you for that link. It kind of confirms that audit trail is essentially logging - I believe that gathering various types of logs using syslog for example could be called generating audit trail. Essentially - audit trail is the combination of various types of logs that systems do that provide the capability to track down an action/event to an individual - is that a correct assumption in your opinion?
Deyan, you are welcome. Could be, but it really depends on the specifics of your systems, it is different if we talk about an operating system or a specific application/service or an IOT device.
Let's use an analogy. Investigation of a burglary may require the collection of evidence from monitoring systems. All that information, once properly collected, filtered and compiled, could be seen as the audit trail.
But to make this possible, the monitoring systems have to be properly set up / configured in advance to pick up specific information, and properly retain it. Utilization of the monitoring systems to track specific activities could be seen as logging.
Audit trails depend on logging...
So essentially, Logging is a source for Audit trail and its effectiveness depends on Logging solutions.
Audit trail is often a hot topic when it comes to correlating the incidents based on the logs and it is being used in Digital Forensic as well.
Thank you so much guys - really have more confidence talking about that now.