Best SaaS Logging and Audit Trail Implementation
Best SaaS Logging and Audit Trail Implementation
A customer reports that critical project data disappeared from their account yesterday afternoon. Your support team asks engineering to investigate, but you have no record of what happened—no logs showing who accessed the project, when it was deleted, or whether it was user error or a bug. After three days of investigation reviewing database backups, you can't definitively explain what occurred. The customer churns, citing lack of accountability and transparency. This scenario repeats across SaaS companies monthly, costing millions in lost revenue and trust—yet it's completely preventable with proper logging and audit trails.
This article covers production-ready logging and audit trail architectures for SaaS applications, from structured application logging through comprehensive user activity tracking. You'll learn what events to log, how to structure log data for queryability, where to store logs for compliance and performance, and how to expose audit trails to customers as a product feature that builds trust and reduces support burden.
We'll progress from foundational application logging for debugging through security event logging, then to comprehensive audit trails for user actions, and finally to compliance-ready systems that satisfy SOC 2 and GDPR requirements.
The Two Types of Logging: Application Logs vs Audit Trails
Logging in SaaS applications serves two distinct purposes that require different architectures. Application logs help engineers debug issues—errors, warnings, performance metrics, and system events. Audit trails track user actions for security, compliance, and customer transparency—who did what, when, and from where. Conflating these leads to logs that serve neither purpose well.
Application logs are high-volume, ephemeral, and technical. A production API server might generate 10,000 log entries per minute covering every request, database query, and external API call. These logs typically retain for 7-30 days—long enough to debug recent issues but not indefinitely. They're written in technical language for engineering audiences and contain stack traces, query durations, and HTTP status codes.
Audit trails are lower-volume, permanent, and business-focused. The same API server might generate 100 audit entries per minute covering only actions that matter to users: creating projects, inviting team members, changing permissions, or exporting data. These logs retain for years, driven by compliance requirements and customer expectations. They're written in plain language for non-technical audiences and emphasize who, what, and why rather than how.
The architectural implication is separation: application logs go to application monitoring tools (Datadog, New Relic, CloudWatch), while audit trails go to databases where they're queryable by organization and user. Don't try to build audit trails by parsing application logs—the retention, query patterns, and access controls are fundamentally different.
Structured Application Logging
Structured logging formats log entries as JSON or key-value pairs rather than plain text strings. This makes logs machine-parseable and searchable. Instead of logging "User 123 created project 456 in 245ms", log {"userId": 123, "action": "create_project", "projectId": 456, "duration": 245, "timestamp": "2024-03-28T10:30:00Z"}. Structured logs enable powerful queries: find all actions by user 123, find all operations taking longer than 1 second, find all errors in the last hour.
// Structured logging with Winston (Node.js)
const winston = require('winston');
const logger = winston.createLogger({
level: process.env.LOG_LEVEL || 'info',
format: winston.format.combine(
winston.format.timestamp(),
winston.format.errors({ stack: true }),
winston.format.json()
),
defaultMeta: {
service: 'api-server',
environment: process.env.NODE_ENV
},
transports: [
new winston.transports.Console(),
new winston.transports.File({ filename: 'logs/error.log', level: 'error' }),
new winston.transports.File({ filename: 'logs/combined.log' })
]
});
// Usage in application code
app.post('/api/projects', authenticate, async (req, res) => {
const startTime = Date.now();
try {
const project = await createProject({
name: req.body.name,
organizationId: req.organizationId,
userId: req.user.id
});
logger.info('Project created', {
userId: req.user.id,
organizationId: req.organizationId,
projectId: project.id,
projectName: req.body.name,
duration: Date.now() - startTime,
ip: req.ip
});
res.json(project);
} catch (error) {
logger.error('Project creation failed', {
userId: req.user.id,
organizationId: req.organizationId,
error: error.message,
stack: error.stack,
duration: Date.now() - startTime
});
res.status(500).json({ error: 'Failed to create project' });
}
});Log levels (error, warn, info, debug) control verbosity. Production environments typically run at info level, logging errors, warnings, and significant events while omitting verbose debug information. Development environments run at debug level, logging everything including database queries and cache hits. This balance keeps production logs manageable while providing detailed debugging information when needed.
Context propagation attaches request metadata to all logs within a request. Use async context tracking (Node.js AsyncLocalStorage, Python contextvars) to automatically include request ID, user ID, and organization ID in every log entry without manually passing them through every function call.
// Request context propagation with AsyncLocalStorage
const { AsyncLocalStorage } = require('async_hooks');
const asyncLocalStorage = new AsyncLocalStorage();
// Middleware to set request context
app.use((req, res, next) => {
const requestContext = {
requestId: crypto.randomUUID(),
userId: req.user?.id,
organizationId: req.organizationId,
ip: req.ip,
userAgent: req.get('user-agent')
};
asyncLocalStorage.run(requestContext, () => {
next();
});
});
// Enhanced logger that includes context
function log(level, message, metadata = {}) {
const context = asyncLocalStorage.getStore() || {};
logger[level](message, {
...context,
...metadata
});
}
// Usage - context automatically included
log('info', 'Database query executed', {
query: 'SELECT * FROM projects',
duration: 42
});
// Logs: { requestId: '...', userId: 123, organizationId: 456, query: '...', duration: 42 }This pattern eliminates repetitive logging code. Every function can log with full context without explicitly passing request metadata through parameters. When investigating issues, you can find all logs for a specific request by searching for its requestId, seeing the complete execution path.
| Log Level | Purpose | Examples | Production Use |
|---|---|---|---|
| ERROR | Failures requiring attention | Database connection failed, API timeout | Always enabled, alerts triggered |
| WARN | Potential issues, degraded state | Cache miss, retry attempt, deprecated API | Enabled, reviewed regularly |
| INFO | Significant business events | User login, resource created, job completed | Standard production level |
| DEBUG | Detailed diagnostic information | SQL queries, function entry/exit, variable values | Development only, too verbose for production |
Audit Trail Schema and Data Model
Audit trail data models must balance queryability, storage efficiency, and compliance requirements. The core schema stores who performed what action on which resource at what time. Additional fields track IP address, user agent, and any relevant metadata about the action. A JSONB column handles action-specific details without requiring schema changes for new event types.
-- Comprehensive audit trail schema
CREATE TABLE audit_events (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
organization_id UUID NOT NULL REFERENCES organizations(id),
user_id UUID REFERENCES users(id), -- Nullable for system actions
action VARCHAR(100) NOT NULL, -- 'project.created', 'member.invited', 'role.changed'
resource_type VARCHAR(50), -- 'project', 'member', 'organization', 'file'
resource_id UUID,
resource_name VARCHAR(255), -- Human-readable for display
old_values JSONB, -- Previous state for updates
new_values JSONB, -- New state for creates/updates
metadata JSONB, -- Additional context (IP, user agent, etc)
created_at TIMESTAMP NOT NULL DEFAULT NOW(),
-- For efficient queries
CONSTRAINT audit_events_org_time_idx PRIMARY KEY (organization_id, created_at DESC, id)
) PARTITION BY RANGE (created_at);
-- Create partitions for time-based queries
CREATE TABLE audit_events_2024_q1 PARTITION OF audit_events
FOR VALUES FROM ('2024-01-01') TO ('2024-04-01');
CREATE TABLE audit_events_2024_q2 PARTITION OF audit_events
FOR VALUES FROM ('2024-04-01') TO ('2024-07-01');
-- Indexes for common query patterns
CREATE INDEX idx_audit_events_user ON audit_events(user_id, created_at DESC);
CREATE INDEX idx_audit_events_resource ON audit_events(organization_id, resource_type, resource_id, created_at DESC);
CREATE INDEX idx_audit_events_action ON audit_events(organization_id, action, created_at DESC);Table partitioning by time improves query performance for large audit logs. Queries filtering by date range (the most common pattern) only scan relevant partitions. Older partitions can be archived to cold storage or deleted once they exceed retention requirements. The composite primary key (organization_id, created_at DESC, id) optimizes the most common query: show recent activity for an organization.
The action field uses namespaced naming like "resource.verb" (project.created, project.updated, project.deleted) to organize events logically. This enables filtering by resource type or action type through string prefix matching. The alternative—separate action_type and resource_type fields—requires more storage but enables more precise filtering without string operations.
// Audit event types organized by domain
const AUDIT_EVENTS = {
// Projects
PROJECT_CREATED: 'project.created',
PROJECT_UPDATED: 'project.updated',
PROJECT_DELETED: 'project.deleted',
PROJECT_ARCHIVED: 'project.archived',
// Members & Access
MEMBER_INVITED: 'member.invited',
MEMBER_JOINED: 'member.joined',
MEMBER_REMOVED: 'member.removed',
MEMBER_ROLE_CHANGED: 'member.role_changed',
// Organization
ORG_SETTINGS_UPDATED: 'organization.settings_updated',
ORG_PLAN_CHANGED: 'organization.plan_changed',
// Data Export & Security
DATA_EXPORTED: 'data.exported',
PASSWORD_CHANGED: 'security.password_changed',
MFA_ENABLED: 'security.mfa_enabled',
MFA_DISABLED: 'security.mfa_disabled',
// Billing
SUBSCRIPTION_CREATED: 'billing.subscription_created',
SUBSCRIPTION_CANCELED: 'billing.subscription_canceled',
PAYMENT_METHOD_ADDED: 'billing.payment_method_added'
};The old_values and new_values fields enable showing "what changed" for update operations. For a role change, old_values might be {"role": "member"} and new_values might be {"role": "admin"}. This supports both technical audit requirements (exact state tracking) and user-facing displays showing before/after comparisons.
Implementing Audit Trail Logging
Audit trail logging should be abstracted into a service that enforces consistent structure and handles common concerns like context extraction and metadata attachment. Every significant user action should trigger audit logging, implemented as close to the action as possible—in service layer methods, not scattered through controllers.
// Audit logging service
class AuditLogger {
constructor(db) {
this.db = db;
}
async log(event) {
const {
organizationId,
userId,
action,
resourceType,
resourceId,
resourceName,
oldValues = null,
newValues = null,
metadata = {}
} = event;
// Extract request context if available
const context = asyncLocalStorage.getStore() || {};
const auditEntry = {
organization_id: organizationId,
user_id: userId || null,
action,
resource_type: resourceType,
resource_id: resourceId,
resource_name: resourceName,
old_values: oldValues ? JSON.stringify(oldValues) : null,
new_values: newValues ? JSON.stringify(newValues) : null,
metadata: JSON.stringify({
ip: context.ip || metadata.ip,
user_agent: context.userAgent || metadata.userAgent,
request_id: context.requestId,
...metadata
})
};
await this.db.query(
`INSERT INTO audit_events (
organization_id, user_id, action, resource_type, resource_id,
resource_name, old_values, new_values, metadata
) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)`,
Object.values(auditEntry)
);
// Also log to application logs for debugging
logger.info('Audit event', {
organizationId,
userId,
action,
resourceType,
resourceId
});
}
// Convenience methods for common patterns
async logCreate(organizationId, userId, resourceType, resource) {
await this.log({
organizationId,
userId,
action: `${resourceType}.created`,
resourceType,
resourceId: resource.id,
resourceName: resource.name || resource.title || String(resource.id),
newValues: resource
});
}
async logUpdate(organizationId, userId, resourceType, resourceId, oldValues, newValues) {
await this.log({
organizationId,
userId,
action: `${resourceType}.updated`,
resourceType,
resourceId,
resourceName: newValues.name || oldValues.name,
oldValues,
newValues
});
}
async logDelete(organizationId, userId, resourceType, resource) {
await this.log({
organizationId,
userId,
action: `${resourceType}.deleted`,
resourceType,
resourceId: resource.id,
resourceName: resource.name || String(resource.id),
oldValues: resource
});
}
}The convenience methods (logCreate, logUpdate, logDelete) standardize common patterns while the general log method handles special cases. This balance provides consistent structure without forcing all events into rigid templates. The automatic metadata extraction pulls IP address and user agent from request context, eliminating repetitive parameter passing.
Audit logging should be synchronous when the logged action is critical (financial transactions, permission changes) and asynchronous when it's supplementary (viewing a resource, running a report). For synchronous logging, the database transaction that performs the action should also insert the audit log—both succeed or both fail. For asynchronous logging, use a background job queue to avoid blocking requests.
// Audit logging in service methods
class ProjectService {
constructor(db, auditLogger) {
this.db = db;
this.auditLogger = auditLogger;
}
async createProject(organizationId, userId, data) {
await this.db.query('BEGIN');
try {
const result = await this.db.query(
'INSERT INTO projects (organization_id, name, description, created_by) VALUES ($1, $2, $3, $4) RETURNING *',
[organizationId, data.name, data.description, userId]
);
const project = result.rows[0];
// Log within same transaction
await this.auditLogger.logCreate(
organizationId,
userId,
'project',
project
);
await this.db.query('COMMIT');
return project;
} catch (error) {
await this.db.query('ROLLBACK');
throw error;
}
}
async updateProject(organizationId, userId, projectId, updates) {
// Get current state
const current = await this.getProject(organizationId, projectId);
if (!current) {
throw new Error('Project not found');
}
await this.db.query('BEGIN');
try {
const result = await this.db.query(
'UPDATE projects SET name = $1, description = $2, updated_at = NOW() WHERE id = $3 AND organization_id = $4 RETURNING *',
[updates.name, updates.description, projectId, organizationId]
);
const updated = result.rows[0];
// Log changes
await this.auditLogger.logUpdate(
organizationId,
userId,
'project',
projectId,
{ name: current.name, description: current.description },
{ name: updated.name, description: updated.description }
);
await this.db.query('COMMIT');
return updated;
} catch (error) {
await this.db.query('ROLLBACK');
throw error;
}
}
async deleteProject(organizationId, userId, projectId) {
const project = await this.getProject(organizationId, projectId);
if (!project) {
throw new Error('Project not found');
}
await this.db.query('BEGIN');
try {
await this.db.query(
'DELETE FROM projects WHERE id = $1 AND organization_id = $2',
[projectId, organizationId]
);
await this.auditLogger.logDelete(
organizationId,
userId,
'project',
project
);
await this.db.query('COMMIT');
return { success: true };
} catch (error) {
await this.db.query('ROLLBACK');
throw error;
}
}
}This pattern ensures audit logs are always consistent with database state. If the project creation fails, the audit log isn't written. If the audit log write fails, the project creation is rolled back. This transactional integrity is critical for compliance—audit logs that might not reflect actual state are worse than no audit logs.
Querying and Displaying Audit Trails
Audit trails become valuable when users can query and understand them. Build API endpoints that let users filter audit logs by date range, action type, user, and resource. Display audit trails in a timeline UI showing who did what, when, with human-readable descriptions rather than technical jargon.
// Audit trail query API
class AuditTrailAPI {
async getAuditLog(organizationId, filters = {}) {
const {
startDate = null,
endDate = null,
userId = null,
action = null,
resourceType = null,
resourceId = null,
limit = 100,
offset = 0
} = filters;
let query = `
SELECT
ae.*,
u.name as user_name,
u.email as user_email
FROM audit_events ae
LEFT JOIN users u ON ae.user_id = u.id
WHERE ae.organization_id = $1
`;
const params = [organizationId];
let paramIndex = 2;
if (startDate) {
query += ` AND ae.created_at >= $${paramIndex}`;
params.push(startDate);
paramIndex++;
}
if (endDate) {
query += ` AND ae.created_at <= $${paramIndex}`;
params.push(endDate);
paramIndex++;
}
if (userId) {
query += ` AND ae.user_id = $${paramIndex}`;
params.push(userId);
paramIndex++;
}
if (action) {
query += ` AND ae.action = $${paramIndex}`;
params.push(action);
paramIndex++;
}
if (resourceType) {
query += ` AND ae.resource_type = $${paramIndex}`;
params.push(resourceType);
paramIndex++;
}
if (resourceId) {
query += ` AND ae.resource_id = $${paramIndex}`;
params.push(resourceId);
paramIndex++;
}
query += ` ORDER BY ae.created_at DESC LIMIT $${paramIndex} OFFSET $${paramIndex + 1}`;
params.push(limit, offset);
const result = await db.query(query, params);
return result.rows.map(row => this.formatAuditEvent(row));
}
formatAuditEvent(row) {
return {
id: row.id,
timestamp: row.created_at,
user: {
id: row.user_id,
name: row.user_name,
email: row.user_email
},
action: row.action,
description: this.generateDescription(row),
resource: {
type: row.resource_type,
id: row.resource_id,
name: row.resource_name
},
changes: this.formatChanges(row.old_values, row.new_values),
metadata: JSON.parse(row.metadata || '{}')
};
}
generateDescription(event) {
const user = event.user_name || 'System';
const resource = event.resource_name;
const descriptions = {
'project.created': `${user} created project "${resource}"`,
'project.updated': `${user} updated project "${resource}"`,
'project.deleted': `${user} deleted project "${resource}"`,
'member.invited': `${user} invited ${event.new_values?.email} to the organization`,
'member.removed': `${user} removed ${event.old_values?.name} from the organization`,
'member.role_changed': `${user} changed ${event.resource_name}'s role from ${event.old_values?.role} to ${event.new_values?.role}`
};
return descriptions[event.action] || `${user} performed ${event.action} on ${resource}`;
}
formatChanges(oldValues, newValues) {
if (!oldValues && !newValues) {
return null;
}
const old = JSON.parse(oldValues || '{}');
const updated = JSON.parse(newValues || '{}');
const changes = [];
// Find changed fields
const allKeys = new Set([...Object.keys(old), ...Object.keys(updated)]);
for (const key of allKeys) {
if (old[key] !== updated[key]) {
changes.push({
field: key,
oldValue: old[key],
newValue: updated[key]
});
}
}
return changes;
}
}
// Express route
app.get('/api/organizations/:organizationId/audit-log',
authenticate,
requireOrganizationAccess('view_audit_log'),
async (req, res) => {
const auditLog = await auditTrailAPI.getAuditLog(
req.params.organizationId,
{
startDate: req.query.startDate,
endDate: req.query.endDate,
userId: req.query.userId,
action: req.query.action,
resourceType: req.query.resourceType,
limit: parseInt(req.query.limit) || 100,
offset: parseInt(req.query.offset) || 0
}
);
res.json(auditLog);
}
);The generateDescription method transforms technical event data into user-friendly sentences. Instead of showing "project.updated" with raw JSON, show "Alice updated project 'Website Redesign' changing status from 'In Progress' to 'Complete'". This narrative format makes audit trails accessible to non-technical users and reduces support burden—users can self-serve by reviewing their own activity history.
Export functionality lets users download audit logs as CSV or JSON for compliance documentation or external analysis. Enterprise customers often need audit logs for their own security reviews or regulatory filings. Make this a first-class feature, not an afterthought.
// Audit log export
app.get('/api/organizations/:organizationId/audit-log/export',
authenticate,
requireOrganizationAccess('export_audit_log'),
async (req, res) => {
const auditLog = await auditTrailAPI.getAuditLog(
req.params.organizationId,
{
startDate: req.query.startDate,
endDate: req.query.endDate,
limit: 10000 // Higher limit for exports
}
);
// Generate CSV
const csv = [
['Timestamp', 'User', 'Action', 'Resource', 'Description'].join(','),
...auditLog.map(event =>
[
event.timestamp,
event.user.email,
event.action,
`${event.resource.type}:${event.resource.name}`,
event.description
].map(field => `"${field}"`).join(',')
)
].join('\n');
res.setHeader('Content-Type', 'text/csv');
res.setHeader('Content-Disposition', `attachment; filename="audit-log-${Date.now()}.csv"`);
res.send(csv);
}
);Security Event Logging and Alerting
Security events are a specialized subset of audit logs requiring special handling: immediate alerting, permanent retention, and protection against tampering. Security events include authentication failures, permission changes, data exports, and suspicious access patterns. These logs are critical for incident response and forensic investigation.
// Security event logging with alerting
class SecurityLogger {
async logSecurityEvent(event) {
const {
organizationId,
userId,
eventType,
severity,
details
} = event;
const securityEvent = {
organization_id: organizationId,
user_id: userId,
event_type: eventType,
severity,
details: JSON.stringify(details),
ip_address: details.ip,
user_agent: details.userAgent
};
await db.query(
`INSERT INTO security_events (
organization_id, user_id, event_type, severity, details, ip_address, user_agent
) VALUES ($1, $2, $3, $4, $5, $6, $7)`,
Object.values(securityEvent)
);
// Alert on high severity events
if (severity === 'high' || severity === 'critical') {
await this.sendSecurityAlert(event);
}
// Check for suspicious patterns
await this.analyzeSecurityPatterns(event);
}
async logAuthenticationFailure(email, ip, reason) {
await this.logSecurityEvent({
organizationId: null,
userId: null,
eventType: 'authentication_failed',
severity: 'medium',
details: { email, ip, reason }
});
// Check for brute force
await this.checkBruteForce(email, ip);
}
async logPasswordChange(organizationId, userId, ip) {
await this.logSecurityEvent({
organizationId,
userId,
eventType: 'password_changed',
severity: 'medium',
details: { ip }
});
}
async logMFADisabled(organizationId, userId, ip) {
await this.logSecurityEvent({
organizationId,
userId,
eventType: 'mfa_disabled',
severity: 'high',
details: { ip }
});
}
async logDataExport(organizationId, userId, exportType, recordCount) {
const severity = recordCount > 10000 ? 'high' : 'medium';
await this.logSecurityEvent({
organizationId,
userId,
eventType: 'data_exported',
severity,
details: { exportType, recordCount }
});
}
async logPermissionEscalation(organizationId, grantedBy, targetUser, oldRole, newRole) {
await this.logSecurityEvent({
organizationId,
userId: grantedBy,
eventType: 'permission_escalation',
severity: 'high',
details: {
targetUserId: targetUser,
oldRole,
newRole
}
});
}
async checkBruteForce(email, ip) {
const recentFailures = await db.query(
`SELECT COUNT(*) FROM security_events
WHERE event_type = 'authentication_failed'
AND (details->>'email' = $1 OR ip_address = $2)
AND created_at > NOW() - INTERVAL '15 minutes'`,
[email, ip]
);
const count = parseInt(recentFailures.rows[0].count);
if (count >= 5) {
await this.sendSecurityAlert({
severity: 'high',
eventType: 'brute_force_detected',
details: {
email,
ip,
attemptCount: count
}
});
}
}
async analyzeSecurityPatterns(event) {
// Example: Detect impossible travel
if (event.userId && event.details.ip) {
const recentEvents = await db.query(
`SELECT ip_address, created_at FROM security_events
WHERE user_id = $1
AND created_at > NOW() - INTERVAL '1 hour'
ORDER BY created_at DESC
LIMIT 2`,
[event.userId]
);
// In production, use IP geolocation to detect impossible travel
// If user was in New York 30 minutes ago and now appears in Tokyo, alert
}
}
async sendSecurityAlert(event) {
// Send to monitoring system
await slackWebhook.send({
channel: '#security-alerts',
text: `Security Alert: ${event.eventType}`,
attachments: [{
color: event.severity === 'critical' ? 'danger' : 'warning',
fields: [
{ title: 'Severity', value: event.severity, short: true },
{ title: 'Event Type', value: event.eventType, short: true },
{ title: 'Details', value: JSON.stringify(event.details, null, 2) }
]
}]
});
// For critical events, page on-call
if (event.severity === 'critical') {
await pagerDuty.trigger({
summary: `Critical security event: ${event.eventType}`,
severity: 'critical',
details: event.details
});
}
}
}Security event detection should be real-time. Use database triggers, message queues, or streaming analytics to analyze security events as they occur. Delayed detection of security incidents increases damage—attackers who aren't blocked within minutes can exfiltrate significant data or cause substantial harm.
Compliance and Retention Policies
Retention policies balance compliance requirements, storage costs, and query performance. Most compliance frameworks (SOC 2, ISO 27001, HIPAA) require 1-7 years of audit log retention. Implement tiered storage: recent logs (0-90 days) in hot storage (PostgreSQL) for fast queries, older logs (90 days to 7 years) in cold storage (S3, Google Cloud Storage) for compliance access.
// Audit log archival process
class AuditLogArchival {
async archiveOldLogs() {
// Archive logs older than 90 days to S3
const cutoffDate = new Date();
cutoffDate.setDate(cutoffDate.getDate() - 90);
const oldLogs = await db.query(
'SELECT * FROM audit_events WHERE created_at < $1 ORDER BY created_at',
[cutoffDate]
);
if (oldLogs.rows.length === 0) {
return { archived: 0 };
}
// Upload to S3 as JSONL (JSON Lines) for efficient storage
const jsonl = oldLogs.rows
.map(row => JSON.stringify(row))
.join('\n');
const fileName = `audit-logs-${cutoffDate.toISOString().split('T')[0]}.jsonl.gz`;
await s3.upload({
Bucket: process.env.AUDIT_LOG_BUCKET,
Key: `archive/${fileName}`,
Body: gzip.gzipSync(jsonl),
ContentType: 'application/gzip',
ServerSideEncryption: 'AES256'
});
// Delete from PostgreSQL after successful upload
await db.query(
'DELETE FROM audit_events WHERE created_at < $1',
[cutoffDate]
);
logger.info('Archived audit logs', {
count: oldLogs.rows.length,
fileName,
cutoffDate
});
return { archived: oldLogs.rows.length, fileName };
}
async retrieveArchivedLogs(startDate, endDate) {
// List relevant archive files
const files = await s3.listObjectsV2({
Bucket: process.env.AUDIT_LOG_BUCKET,
Prefix: 'archive/'
});
const relevantFiles = files.Contents.filter(file => {
// Parse date from filename and check if it falls in range
const match = file.Key.match(/audit-logs-(\d{4}-\d{2}-\d{2})/);
if (!match) return false;
const fileDate = new Date(match[1]);
return fileDate >= startDate && fileDate <= endDate;
});
// Download and decompress files
const logs = [];
for (const file of relevantFiles) {
const object = await s3.getObject({
Bucket: process.env.AUDIT_LOG_BUCKET,
Key: file.Key
});
const decompressed = gzip.gunzipSync(object.Body);
const lines = decompressed.toString().split('\n');
for (const line of lines) {
if (line.trim()) {
logs.push(JSON.parse(line));
}
}
}
return logs;
}
}GDPR and other privacy regulations require deleting user data upon request, but audit logs are often exempt from deletion requirements because they serve legitimate business interests (security, fraud prevention, compliance). When deleting user accounts, anonymize audit logs rather than deleting them: replace user IDs with "deleted_user_123" and remove email addresses, but preserve the action history.
// GDPR-compliant user deletion with audit log anonymization
async function deleteUserGDPR(userId) {
await db.query('BEGIN');
try {
// Delete personal data
await db.query(
'UPDATE users SET email = $1, name = $2, deleted_at = NOW() WHERE id = $3',
[`deleted_${userId}@example.com`, 'Deleted User', userId]
);
// Anonymize audit logs (preserve for compliance)
await db.query(
'UPDATE audit_events SET metadata = jsonb_set(metadata, \'{anonymized}\', \'true\') WHERE user_id = $1',
[userId]
);
// Log the deletion request (required by GDPR)
await db.query(
'INSERT INTO gdpr_deletion_log (user_id, deleted_at) VALUES ($1, NOW())',
[userId]
);
await db.query('COMMIT');
} catch (error) {
await db.query('ROLLBACK');
throw error;
}
}| Compliance Framework | Retention Requirement | Key Requirements |
|---|---|---|
| SOC 2 | 1 year minimum | Security events, access logs, change logs |
| GDPR | Varies by purpose | Legitimate interest for security logs |
| HIPAA | 6 years | Access to PHI, modifications, deletions |
| PCI DSS | 1 year, 3 months readily available | Cardholder data access, admin actions |
Performance Optimization for High-Volume Logging
High-traffic SaaS applications generate millions of audit events per day. Synchronous database writes for every event can bottleneck application performance. Implement buffering and batching: collect events in memory, flush to database in batches of 100-1000 events, or use background workers to process queued events asynchronously.
// Buffered audit logging for performance
class BufferedAuditLogger {
constructor(db, options = {}) {
this.db = db;
this.buffer = [];
this.maxBufferSize = options.maxBufferSize || 100;
this.flushInterval = options.flushInterval || 5000; // 5 seconds
// Periodic flush
this.flushTimer = setInterval(() => this.flush(), this.flushInterval);
// Flush on process exit
process.on('SIGTERM', () => this.flush());
process.on('SIGINT', () => this.flush());
}
async log(event) {
this.buffer.push(event);
// Flush if buffer is full
if (this.buffer.length >= this.maxBufferSize) {
await this.flush();
}
}
async flush() {
if (this.buffer.length === 0) {
return;
}
const events = this.buffer.splice(0, this.buffer.length);
try {
// Batch insert
const values = events.map((event, idx) => {
const base = idx * 9;
return `($${base + 1}, $${base + 2}, $${base + 3}, $${base + 4}, $${base + 5}, $${base + 6}, $${base + 7}, $${base + 8}, $${base + 9})`;
}).join(',');
const params = events.flatMap(event => [
event.organization_id,
event.user_id,
event.action,
event.resource_type,
event.resource_id,
event.resource_name,
event.old_values,
event.new_values,
event.metadata
]);
await this.db.query(
`INSERT INTO audit_events (
organization_id, user_id, action, resource_type, resource_id,
resource_name, old_values, new_values, metadata
) VALUES ${values}`,
params
);
logger.debug('Flushed audit log buffer', { count: events.length });
} catch (error) {
logger.error('Failed to flush audit logs', {
error: error.message,
count: events.length
});
// Re-add events to buffer to retry
this.buffer.unshift(...events);
}
}
shutdown() {
clearInterval(this.flushTimer);
return this.flush();
}
}The buffered approach provides 10-100x performance improvement for high-volume logging while maintaining durability through periodic flushes and graceful shutdown handling. The tradeoff is potential data loss if the process crashes between flushes—acceptable for most audit logging but not for financial transactions.
Frequently Asked Questions
What's the difference between logs and metrics?
Logs capture discrete events with context (who did what when). Metrics aggregate data into numbers over time (requests per second, error rate). Use logs to understand specific events. Use metrics to monitor trends and set alerts. In practice, emit structured logs and extract metrics from them using log aggregation tools—don't maintain separate logging and metrics systems.
Should I log every database query?
Log queries only in development or when debugging specific issues. Production query logging generates massive data volumes with limited value—most queries are repetitive CRUD operations. Instead, log slow queries (queries taking longer than 1-5 seconds) and failed queries. This captures problematic patterns without overwhelming logs with noise.
How long should I retain application logs vs audit logs?
Application logs: 7-30 days for debugging recent issues. Audit logs: 1-7 years based on compliance requirements and industry regulations. Financial services often require 7 years; most B2B SaaS products need 1-2 years. Archive old audit logs to cold storage rather than deleting—storage is cheap, and having historical data available during incidents or audits is invaluable.
Can I use the same logging library for both application and audit logs?
Yes, but route them to different destinations. Use Winston, Pino, or similar structured logging libraries for both, but configure different transports: application logs to CloudWatch/Datadog/New Relic, audit logs to your database. The shared library provides consistent structure while storage reflects the different use cases.
Should I log personally identifiable information (PII)?
Log PII only in audit trails where it's necessary for accountability, and implement access controls and encryption. Don't log PII in application logs that go to third-party services—debug issues using request IDs and user IDs rather than names or emails. When you must log PII, mark fields as sensitive so log aggregation tools can redact them automatically.
How do I handle logging in microservices architectures?
Use distributed tracing (OpenTelemetry, Jaeger, Zipkin) to correlate logs across services. Generate a trace ID at API gateway and propagate it through all service calls. Each service logs with the trace ID, letting you reconstruct entire request flows. For audit logs, centralize them in a dedicated audit service that all microservices publish events to—don't duplicate audit storage across services.
What should I do if audit logging fails?
For critical operations (financial transactions, permission changes), fail the operation if audit logging fails—better to block the action than to have untracked state changes. For less critical operations, log the failure to application logs and proceed with the operation. Implement monitoring that alerts if audit log write failures exceed 1%—this indicates infrastructure problems requiring immediate attention.
How do I test that audit logging is working correctly?
Write integration tests that perform actions and verify audit logs are created with correct data. Test that updates capture old and new values. Test that deletes record the deleted resource. Test that security events trigger alerts. Include audit logging in your CI/CD pipeline—every pull request should verify audit logging for changed code paths. Manual testing before major releases should include reviewing audit logs for completeness.
Conclusion
Logging and audit trails form the observability foundation of production SaaS applications. Application logs enable engineers to debug issues quickly by understanding system behavior. Audit trails provide accountability, security monitoring, and compliance documentation by recording user actions permanently. These are not optional features you add later—they're infrastructure you build from the start.
Separate application logging from audit trails architecturally. Application logs are high-volume, ephemeral, and technical—send them to monitoring tools with 7-30 day retention. Audit trails are lower-volume, permanent, and business-focused—store them in databases with multi-year retention. Use structured logging (JSON) throughout to enable powerful querying and analysis.
Expose audit trails to customers as a product feature. Build UI showing activity timelines, enable filtering by date and user, provide export capabilities. Transparency builds trust—customers who can see what happened in their accounts are more confident in your security and reliability. Audit trails reduce support burden by letting users self-serve answers to "what happened to my data" questions. The investment in comprehensive logging pays dividends through faster debugging, easier compliance, stronger security, and improved customer trust.