Cloud Logging & Audit Trails — CloudTrail, Azure Monitor & Audit Logs Guide
In this tutorial, you'll learn about Cloud Logging & Audit Trails. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.
Cloud logging and audit trails capture every API call, configuration change, and access attempt across your cloud accounts using services like AWS CloudTrail, Azure Monitor, and GCP Cloud Audit Logs.
What You Will Learn
How to configure comprehensive audit logging, aggregate logs from multiple accounts and regions, set retention policies for Compliance, and build real-time alerts on suspicious activity.
Why It Matters
Without audit logs, you cannot detect unauthorized access, prove Compliance during audits, or investigate security incidents. Cloud logging is the foundation of every security program.
Real-World Use
DodaTech's security team maintains a centralized log archive in an immutable S3 bucket. Every CloudTrail log from 50 AWS accounts, Azure Activity logs from 30 subscriptions, and GCP Audit Logs from 20 projects is shipped to a single SIEM platform for correlation.
Log Architecture
flowchart TD
subgraph AWS
CT[AWS CloudTrail] --> CreateTrail[Trail\nMulti-Region]
CreateTrail --> S3[S3 Log Archive]
end
subgraph Azure
AZ[Azure Monitor] --> LA[Log Analytics Workspace]
LA --> Export[Export to Storage]
end
subgraph GCP
GCP[Cloud Audit Logs] --> LS[Log Sink]
LS --> GCS[Cloud Storage Bucket]
end
S3 --> Central["Central Log Bucket\nImmutable / Cross-Region"]
Export --> Central
GCS --> Central
Central --> SIEM["SIEM / Analytics"]
style Central fill:#f90,color:#fff
AWS CloudTrail
CloudTrail records all API activity across AWS services. Create a multi-region trail with log file integrity validation for production environments.
# Create a multi-region trail with log validation
aws cloudtrail create-trail \
--name prod-trail \
--s3-bucket-name dodatech-aws-logs \
--is-multi-region-trail \
--enable-log-file-validation \
--kms-key-id alias/cloudtrail-key
# Start logging
aws cloudtrail start-logging --name prod-trail
# Verify trail configuration
aws cloudtrail describe-trails --trail-name-list prod-trail
# Output:
# {
# "trailList": [{
# "Name": "prod-trail", "# "IsMultiRegionTrail": true", "# "LogFileValidationEnabled": true",
# "S3BucketName": "dodatech-aws-logs]
# }]
# }
# Search for specific events
aws cloudtrail lookup-events \
--lookup-attributes AttributeKey=EventName,AttributeValue=ConsoleLogin \
--start-time 2026-06-24T00:00:00Z \
--query 'Events[*].[EventTime,Username,SourceIPAddress,AWSRegion]' \
--output table
# Output:
# ----------------------------------------------------------------------
# | EventTime | Username | SourceIP | AWSRegion |
# | 2026-06-24T08:30:00 | admin | 198.51.100.10 | us-east-1 |
# | 2026-06-24T09:15:00 | dev-user | 203.0.113.50 | eu-west-1 |
# ----------------------------------------------------------------------
Azure Monitor
Azure Monitor collects activity logs, diagnostic logs, and metrics. Log Analytics Workspaces serve as the central ingestion point.
# Create a Log Analytics workspace
az monitor log-analytics workspace create \
--resource-group prod-rg \
--workspace-name prod-loganalytics \
--location eastus
# Configure diagnostic settings to send activity logs
az monitor diagnostic-settings create \
--name "activity-to-loganalytics" \
--resource /subscriptions/.../ \
--workspace prod-loganalytics \
--logs '[{"category": "Administrative", "enabled": true}, {"category": "Security", "enabled": true}]'
# Query sign-in logs
az monitor log-analytics query \
--workspace prod-loganalytics \
--query 'SigninLogs | where ResultType != "0" | summarize FailedAttempts = count() by UserPrincipalName, IPAddress | top 10 by FailedAttempts desc'
# Output:
# Result:
# UserPrincipalName IPAddress FailedAttempts
# admin@dodatech.com 198.51.100.10 47
# dev@dodatech.com 203.0.113.50 12
GCP Cloud Audit Logs
GCP writes audit logs for every API call. Admin Activity logs track configuration changes. Data Access logs track reads of user data.
# Enable Data Access audit logs for a GCS bucket
gcloud logging settings update \
--organization=123456789012 \
--audit-log-config '{
"service": "storage.googleapis.com",
"logConfig": {
"enableDataAccess": "DATA_READ",
"enableDataAccess": "DATA_WRITE"
}
}'
# Create a log sink to BigQuery for analysis
gcloud logging sinks create prod-audit-sink \
bigquery.googleapis.com/projects/my-project/datasets/audit_logs \
--log-filter 'LOG_ID("cloudaudit.googleapis.com/activity")'
# View recent audit log entries
gcloud logging read 'logName="projects/my-project/logs/cloudaudit.googleapis.com%2Factivity"' \
--limit 5 \
--format="table(timestamp,protoPayload.methodName,protoPayload.authenticationInfo.principalEmail)"
# Output:
# 2026-06-24T10:00:00Z google.iam.admin.SetIAMPolicy admin@dodatech.com
# 2026-06-24T10:05:00Z google.storage.objects.create dev@dodatech.com
Log Retention and Immutability
Store logs in immutable storage for Compliance. AWS S3 Object Lock, Azure Blob Storage immutability, and GCP Bucket retention policies prevent log tampering.
Common Mistakes
- Not enabling multi-region trails: A single-region CloudTrail misses activity in other regions. Always enable multi-region trails.
- Short retention periods: Compliance frameworks require 1-7 years of log retention. Archive logs to cold storage with appropriate retention policies.
- No centralized log aggregation: Logs spread across 50 accounts and 3 clouds are useless. Aggregate everything into a central SIEM or data lake.
- Ignoring Data Access logs in GCP: Admin Activity logs are enabled by default. Data Access logs require explicit enablement and provide critical visibility.
- No real-time alerting on critical events: Logs that are never monitored are just noise. Set up alerts for ConsoleLogin, IAM policy changes, and security group modifications.
Practice Questions
- What is the difference between AWS CloudTrail and AWS Config?
- How does Azure Monitor collect logs from multiple subscriptions?
- What is the difference between Admin Activity and Data Access logs in GCP?
- Why is log file validation important for CloudTrail?
- How can immutable storage prevent log tampering?
Challenge
Deploy a Multi-Cloud audit logging architecture. Create a multi-region CloudTrail in AWS, a Log Analytics workspace in Azure, and enable Data Access logs in GCP. Aggregate all logs into a central S3 bucket with Object Lock enabled. Write a CloudWatch Events rule that alerts on any ConsoleLogin event. Verify by performing a test login and confirming the alert fires.
FAQ
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro