Best practices for audit logging in a SAAS business/application
This post is a note to my future self for the next project I want to build. There doesn't seem to be any great resources out there for this, so I thought I'd share my thoughts publicly. If you're asking yourself "do I need to have audit logging in my app?" - I can promise you the answer is "yes!".
What are audit logs?
Audit logs are effectively an activity log of things that happened in a given entity (usually an "account").
For instance, for one of my side projects - reservadesk.com, we log all activity within an "organisation" so that admin members (and us internally) who manage the organisation can see who changed what, and when. It makes it very easy to debug customer problems, as well as simply being able to track active accounts and see what people are doing as they poke about at your app.
What's more, a lot of large clients will expect this kind of thing, and are willing and able to pay for it.
What audit logs are NOT
Audit logs are not like console logs in the console, or backend logging in your API like you might have in Datadog, Rapid7 or some other log provider. Those type of logs have equal, if not more, importance. But they serve a different purpose. Those types of logs are for your developers or technical support to interrogate and check for problems. Audit logging is for your customers themselves (so they can see changes to things over time) and also your support/success staff for issue resolution and, to a lesser degree, usage.
Learning from Flipdish
At the time of writing, Flipdish just reached Unicorn status with our latest round of investment. Since joining three years ago, it's been a whirlwind, to say the least, so right now feels like a good opportunity to pause and reflect on some of the things I've learned.
Here's that list. One of the bigger things on that list is audit logs. When a customer calls in with a query, being able to track down who changed what, and when, is a powerful tool to have in your arsenal to get any issues resolved as quickly and painlessly as possible.
BTW - we're hiring across ALL types of roles - get in touch if you're curious about any.
What should be logged?
The first logical question when tackling audit logs, is what actually should be logged, and what shouldn't. A good rule of thumb is if something changes in your database, it should be logged. Typically, this means all POST, UPDATE, PATCH and DELETE requests. GET requests typically would not be logged, but that doesn't mean they can't be if you've got a compelling reason to know when someone viewed something, for instance.
Ask yourself the question "As the customer managing the configuration or monitoring of this app, would I like to know when this activity has happened, by who, and when?". If the answer is a yes, then you need an audit log.
What should be in an audit log?
For me, there are a few key elements of an audit log that need to be there in order for it to be effective and useful to your team.
- The entity that was changed. What was the entity that was created/updated/deleted etc. In the example below, the entity was a "resource".
- The type of event. Was it an update, a deletion, or something else? Being able to glance at an audit log and know the action that was taken is essential.
- When the event occurred. You need to know when the event happened, and of course if you're showing a list of events, they should be in chronological order. Bonus points here if you show both the time, and relative time (eg "10 minutes ago")
- Who did it? Knowing who made the change is essential. Was it a support team member, or the customer themselves? Bonus points here for including the user ID, to make chasing down the culprit that bit quicker.
- What was changed? Understanding the properties that were changed, the previous value, and the new value, is essential. Without this information, your audit logs are a lot less effective.
Audit log example
How long should I keep audit logs?
This is up to your business, but in my experience, typically any more than 3 months is overkill. If there is anything to debug, it'll usually crop up in that time frame. The only caveat to this would be large customers who want to retain logs for longer. This is of course an opportunity to upsell those clients onto a longer log retention period 😉.
Apps that do audit logging well
Of course I'm going to say Flipdish first, with reservadesk.com as a close second!
Other apps I've noticed that do it well are Stripe, split.io and localize.biz - although in localize's case it's more of a light activity log.
Anything else I should know, Chris?
I'm glad you asked. Once you have your audit log system set up, and it has appropriate filters, you should link to the audit logs from every entity that has them. In our examples above, this means that if you're logged in as an organisation teammate, and you view a resource like Desk 1, you should have a link that goes directly to your audit logs list page that has the filter pre-filled for that resource.
Or even, better, display the logs for that item in the UI itself, no need to redirect the user.
Did you like this post? Subscribe for more tidbits in product development and more.