Skip to content

Cloud Logging & Audit Trails — CloudTrail, Azure Monitor & Audit Logs Guide

DodaTech Updated 2026-06-24 5 min read

In this tutorial, you'll learn about Cloud Logging & Audit Trails. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.

Cloud logging and audit trails capture every API call, configuration change, and access attempt across your cloud accounts using services like AWS CloudTrail, Azure Monitor, and GCP Cloud Audit Logs.

What You Will Learn

How to configure comprehensive audit logging, aggregate logs from multiple accounts and regions, set retention policies for Compliance, and build real-time alerts on suspicious activity.

Why It Matters

Without audit logs, you cannot detect unauthorized access, prove Compliance during audits, or investigate security incidents. Cloud logging is the foundation of every security program.

Real-World Use

DodaTech's security team maintains a centralized log archive in an immutable S3 bucket. Every CloudTrail log from 50 AWS accounts, Azure Activity logs from 30 subscriptions, and GCP Audit Logs from 20 projects is shipped to a single SIEM platform for correlation.

Log Architecture

flowchart TD
  subgraph AWS
    CT[AWS CloudTrail] --> CreateTrail[Trail\nMulti-Region]
    CreateTrail --> S3[S3 Log Archive]
  end
  subgraph Azure
    AZ[Azure Monitor] --> LA[Log Analytics Workspace]
    LA --> Export[Export to Storage]
  end
  subgraph GCP
    GCP[Cloud Audit Logs] --> LS[Log Sink]
    LS --> GCS[Cloud Storage Bucket]
  end
  
  S3 --> Central["Central Log Bucket\nImmutable / Cross-Region"]
  Export --> Central
  GCS --> Central
  Central --> SIEM["SIEM / Analytics"]
  
  style Central fill:#f90,color:#fff

AWS CloudTrail

CloudTrail records all API activity across AWS services. Create a multi-region trail with log file integrity validation for production environments.

# Create a multi-region trail with log validation
aws cloudtrail create-trail \
  --name prod-trail \
  --s3-bucket-name dodatech-aws-logs \
  --is-multi-region-trail \
  --enable-log-file-validation \
  --kms-key-id alias/cloudtrail-key

# Start logging
aws cloudtrail start-logging --name prod-trail

# Verify trail configuration
aws cloudtrail describe-trails --trail-name-list prod-trail
# Output:
# {
#   "trailList": [{
#     "Name": "prod-trail", "#     "IsMultiRegionTrail": true", "#     "LogFileValidationEnabled": true",
#     "S3BucketName": "dodatech-aws-logs]
#   }]
# }

# Search for specific events
aws cloudtrail lookup-events \
  --lookup-attributes AttributeKey=EventName,AttributeValue=ConsoleLogin \
  --start-time 2026-06-24T00:00:00Z \
  --query 'Events[*].[EventTime,Username,SourceIPAddress,AWSRegion]' \
  --output table
# Output:
# ----------------------------------------------------------------------
# | EventTime           | Username  | SourceIP      | AWSRegion        |
# | 2026-06-24T08:30:00 | admin     | 198.51.100.10 | us-east-1        |
# | 2026-06-24T09:15:00 | dev-user  | 203.0.113.50  | eu-west-1        |
# ----------------------------------------------------------------------

Azure Monitor

Azure Monitor collects activity logs, diagnostic logs, and metrics. Log Analytics Workspaces serve as the central ingestion point.

# Create a Log Analytics workspace
az monitor log-analytics workspace create \
  --resource-group prod-rg \
  --workspace-name prod-loganalytics \
  --location eastus

# Configure diagnostic settings to send activity logs
az monitor diagnostic-settings create \
  --name "activity-to-loganalytics" \
  --resource /subscriptions/.../ \
  --workspace prod-loganalytics \
  --logs '[{"category": "Administrative", "enabled": true}, {"category": "Security", "enabled": true}]'

# Query sign-in logs
az monitor log-analytics query \
  --workspace prod-loganalytics \
  --query 'SigninLogs | where ResultType != "0" | summarize FailedAttempts = count() by UserPrincipalName, IPAddress | top 10 by FailedAttempts desc'
# Output:
# Result:
# UserPrincipalName          IPAddress       FailedAttempts
# admin@dodatech.com         198.51.100.10   47
# dev@dodatech.com           203.0.113.50    12

GCP Cloud Audit Logs

GCP writes audit logs for every API call. Admin Activity logs track configuration changes. Data Access logs track reads of user data.

# Enable Data Access audit logs for a GCS bucket
gcloud logging settings update \
  --organization=123456789012 \
  --audit-log-config '{
    "service": "storage.googleapis.com",
    "logConfig": {
      "enableDataAccess": "DATA_READ",
      "enableDataAccess": "DATA_WRITE"
    }
  }'

# Create a log sink to BigQuery for analysis
gcloud logging sinks create prod-audit-sink \
  bigquery.googleapis.com/projects/my-project/datasets/audit_logs \
  --log-filter 'LOG_ID("cloudaudit.googleapis.com/activity")'

# View recent audit log entries
gcloud logging read 'logName="projects/my-project/logs/cloudaudit.googleapis.com%2Factivity"' \
  --limit 5 \
  --format="table(timestamp,protoPayload.methodName,protoPayload.authenticationInfo.principalEmail)"
# Output:
# 2026-06-24T10:00:00Z  google.iam.admin.SetIAMPolicy  admin@dodatech.com
# 2026-06-24T10:05:00Z  google.storage.objects.create   dev@dodatech.com

Log Retention and Immutability

Store logs in immutable storage for Compliance. AWS S3 Object Lock, Azure Blob Storage immutability, and GCP Bucket retention policies prevent log tampering.

Common Mistakes

  1. Not enabling multi-region trails: A single-region CloudTrail misses activity in other regions. Always enable multi-region trails.
  2. Short retention periods: Compliance frameworks require 1-7 years of log retention. Archive logs to cold storage with appropriate retention policies.
  3. No centralized log aggregation: Logs spread across 50 accounts and 3 clouds are useless. Aggregate everything into a central SIEM or data lake.
  4. Ignoring Data Access logs in GCP: Admin Activity logs are enabled by default. Data Access logs require explicit enablement and provide critical visibility.
  5. No real-time alerting on critical events: Logs that are never monitored are just noise. Set up alerts for ConsoleLogin, IAM policy changes, and security group modifications.

Practice Questions

  1. What is the difference between AWS CloudTrail and AWS Config?
  2. How does Azure Monitor collect logs from multiple subscriptions?
  3. What is the difference between Admin Activity and Data Access logs in GCP?
  4. Why is log file validation important for CloudTrail?
  5. How can immutable storage prevent log tampering?

Challenge

Deploy a Multi-Cloud audit logging architecture. Create a multi-region CloudTrail in AWS, a Log Analytics workspace in Azure, and enable Data Access logs in GCP. Aggregate all logs into a central S3 bucket with Object Lock enabled. Write a CloudWatch Events rule that alerts on any ConsoleLogin event. Verify by performing a test login and confirming the alert fires.

FAQ

What is AWS CloudTrail?

A service that records every API call made in an AWS account, including the caller identity, time, source IP, and request details.

How long should audit logs be retained?

At least one year for operational needs, up to seven years for Compliance with regulations like SOC 2, HIPAA, and PCI DSS.

Does Azure Monitor include activity logs by default?

Azure Activity Logs are collected automatically. Diagnostic settings control which logs are sent to Log Analytics or storage.

What is the difference between Cloud Logging and Cloud Audit Logs in GCP?

Cloud Logging aggregates all log types. Cloud Audit Logs specifically track administrative activity and data access for Compliance.

Can I use CloudTrail to detect unauthorized access?

Yes. CloudTrail logs every API call. Combined with CloudWatch Events and GuardDuty, you can detect and alert on suspicious activity in real time.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro