Audit Logging for SOC 2: What to Log, How to Retain
SOC 2 audit logging is more achievable than most teams think. The minimum specification is concrete; the cost is bounded if you tier storage.
What SOC 2 expects
SOC 2 cares about access control, change management, data handling. The audit log is the proof these controls operated.
Vague controls fail audits. Specific log lines pass them.
Eight events to log
- 1. Authentication events (success/failure).
- 2. Authorization decisions.
- 3. Privileged-action attempts.
- 4. Configuration changes.
- 5. Data-access events for regulated data.
- 6. Account-lifecycle events.
- 7. Security-tool actions (silences, overrides).
- 8. Backup + restore events.
Retention durations
Most SOC 2 auditors expect 1 year of online log retention; 7 years archived. Some industries (healthcare, finance) extend.
Log timestamps must be tamper-evident: hash chaining, append-only storage, or both.
Storage architecture
Hot tier (queryable in seconds, expensive): 30-90 days. Warm tier (queryable in minutes): 1 year. Cold/archive (S3 Glacier-class): 7 years.
At 50 GB/day: hot $200/mo, warm $300/mo, archive $50/mo. Total $550/mo for 7-year compliant retention.
Antipatterns
- One bucket, one tier, all retention. Cost explodes.
- No tamper evidence. Auditors fail you.
- Logging without parsing. Search at audit time impossible.
What to do this week
Three moves. (1) Pick one production system to apply this pattern to first. (2) Measure the security signal before/after. (3) Document the gap and write a follow-up ticket so the program stays alive between quarterly reviews.