The Audit Log Is Not the Evidence
Audit logs are internal records maintained by the system under review. They are not independent evidence. A log the accused controls is not proof.
The Distinction
An audit log is a self-report. It is a record maintained by the system whose behavior is in question, written by that system, stored in infrastructure that system controls, and readable only by parties that system permits access to.
Independent evidence is a record whose integrity can be verified without trusting the system that produced it.
These are not the same thing. Conflating them is the foundational error in most compliance and forensic workflows.
Why It Matters
When an audit log is the primary evidence for a claim — "no unauthorized access occurred," "all writes were approved," "the pipeline executed as configured" — that claim is only as strong as your trust in the system that wrote the log.
If that system was compromised, the log is compromised. If an insider had write access to the log store, the log is suspect. If the logging agent itself was misconfigured, the gap it created will not appear in the log. Absence of anomalies in a log proves only one thing: the log records no anomalies.
Real-World Example
A privileged cloud administrator with access to a logging pipeline executes an unauthorized data export. Before the export, they suppress log forwarding for the relevant service for 90 seconds, complete the export, then re-enable forwarding. The SIEM shows a minor connectivity blip. The audit log shows no unauthorized access.
In a post-incident review, the audit log is presented as evidence that no exfiltration occurred during the period in question. The log is accurate — it accurately reflects what the logging system was permitted to record. It is not evidence.
This is not a novel attack. It is a standard insider threat pattern. Audit logs are a first-party record. First-party records cannot self-certify their own completeness.
Audit Log vs. Signed Verifiable Receipt
| Property | Audit Log | Signed Verifiable Receipt |
|---|---|---|
| Author | The system under review | An independent witness |
| Integrity binding | Typically none or internal | Cryptographic signature + external timestamp |
| Tamper evidence | Requires trusting the store | Detectable without trusting the store |
| Completeness guarantee | None — gaps are invisible | Gaps in inclusion proofs are detectable |
| Adversarial utility | Controllable by a compromised actor | Cannot be retroactively modified without detection |
A signed receipt anchored to an external transparency log or timestamping authority is verifiable without trusting the issuing system. A discrepancy between a signed receipt and an audit log is evidence of tampering. An audit log alone cannot surface that discrepancy.
The Test
Before treating an audit log as evidence, ask:
Can I verify the integrity and completeness of this log without trusting the system that wrote it?
If the answer is no — if verification requires accessing the same system, trusting its key material, or accepting its claims about its own completeness — the log is a self-report, not evidence.
A signed, externally anchored record whose inclusion can be proved independently is the threshold for evidence. Below that threshold, you have a starting point for investigation, not a conclusion.
Closing Principle
A log the accused controls is not proof. Internal audit logs are useful operational instruments and poor forensic anchors. The question is never whether a log exists — it is whether the log's integrity is verifiable by a party that does not depend on the system under review.
If your evidence chain terminates at a self-maintained log, your chain terminates at an assertion.
If this looks familiar, reading more won’t fix it → /review
See also: Why Compliance Dashboards Are Not Security Evidence — the same logic applied to the compliance surface.
See also: Verification Requires Independence — the principle that defines when a check qualifies as verification.