Safeguard
Compliance

How to meet SOC 2 audit logging requirements

A step-by-step guide to meeting SOC 2 audit logging requirements: what to log, retention, access controls, alerting, and how to verify your controls before an audit.

Marina Petrov
Compliance Analyst
8 min read

If your organization is heading into a SOC 2 audit, one of the fastest ways to derail a clean report is incomplete or inconsistent logging. Auditors don't just want to see that you have logs — they want evidence that your logging program satisfies specific SOC 2 audit logging requirements: what gets captured, how long it's retained, who can access it, and how you detect and respond to anomalies. Many teams discover these gaps only after an auditor starts asking pointed questions about a missing audit trail or an access log that was overwritten after 14 days.

This guide walks through a practical, sequential process for building a logging program that satisfies SOC 2 Trust Services Criteria (primarily Security, and often Availability and Confidentiality). By the end, you'll have a repeatable framework — covering scope, collection, retention, access control, alerting, and audit-readiness — that you can run as an ongoing SOC 2 compliance checklist rather than a one-time scramble before your audit window opens.

Step 1: Map SOC 2 Audit Logging Requirements to Your Trust Services Criteria

Before touching any tooling, identify which Trust Services Criteria (TSC) apply to your audit scope. Almost every SOC 2 report includes the Security (Common Criteria) category, and logging requirements are woven throughout it — most directly in CC6 (logical access controls), CC7 (system operations and monitoring), and CC4 (monitoring of controls).

Concretely, this means your logging program needs to demonstrate:

  • CC6.1–CC6.3: who accessed what system or data, including authentication events, privilege changes, and access revocations.
  • CC7.1–CC7.2: detection of anomalies, security events, and incidents through monitoring and alerting.
  • CC4.1: ongoing evaluation of whether controls (including logging controls) are operating effectively.

Write these mappings down. Auditors will ask you to trace a control to evidence, and having a matrix that ties "CC7.2 — intrusion detection" to "centralized SIEM alert logs, 90-day retention" saves hours of back-and-forth during fieldwork.

Step 2: Define What Must Be Logged

Scope creep is the enemy here — logging everything indiscriminately creates noise and storage costs without improving your audit posture. Focus on event categories auditors consistently expect to see:

  • Authentication and authorization events (logins, MFA challenges, failed attempts, password resets)
  • Privileged access and administrative actions (IAM role changes, sudo usage, database admin queries)
  • Data access and modification events for systems handling customer or sensitive data
  • Infrastructure changes (deployments, configuration changes, security group modifications)
  • System and application errors that could indicate security issues

A minimal log entry should capture: timestamp (UTC), actor identity, action taken, source (IP/host), affected resource, and outcome (success/failure). For example, a CloudTrail-style event:

{
  "eventTime": "2026-07-06T14:22:03Z",
  "eventName": "ConsoleLogin",
  "userIdentity": { "type": "IAMUser", "userName": "jsmith" },
  "sourceIPAddress": "203.0.113.44",
  "responseElements": { "ConsoleLogin": "Failure" },
  "mfaUsed": "No"
}

That single record touches authentication, MFA enforcement, and failure tracking — three separate SOC 2 logging controls in one event.

Step 3: Centralize Logs and Make Them Tamper-Evident

Auditors specifically test whether your audit trail SOC 2 evidence can be altered after the fact. Logs sitting only on individual hosts or in application-local files fail this test immediately — anyone with shell access could edit or delete them.

Centralize logs into a dedicated aggregation layer (a SIEM, a log management service, or a cloud-native pipeline) and enforce write-once semantics where possible:

# Example: forward syslog to a central collector with TLS
*.* @@logcollector.internal:6514;RSYSLOG_SyslogProtocol23Format

# Example: enable S3 Object Lock for log archive immutability
aws s3api put-object-lock-configuration \
  --bucket sg-audit-logs \
  --object-lock-configuration '{
    "ObjectLockEnabled": "Enabled",
    "Rule": { "DefaultRetention": { "Mode": "COMPLIANCE", "Days": 365 } }
  }'

Restrict who can modify retention settings or delete log buckets, and log those administrative actions too — a common audit finding is "the people managing the logging system are not themselves logged."

Step 4: Set Retention Periods That Match Your Audit Window

SOC 2 doesn't mandate a universal retention number, but auditors expect retention to cover at least your full audit period (typically 12 months for a Type II report) plus enough buffer to investigate incidents discovered late. Most organizations land on 12–24 months for security-relevant logs, with shorter hot-storage windows (30–90 days) for fast querying and longer cold-storage archives for the remainder.

Document your retention policy explicitly, including:

  • Retention duration per log category
  • Storage tier transitions (hot → cold/archive)
  • Deletion or expiration process, and who approves exceptions

A retention policy that exists only informally in someone's head is a guaranteed audit exception.

Step 5: Restrict and Log Access to the Logs Themselves

This step trips up more teams than any other. If your engineering team has broad read/write access to the logging platform, an auditor will ask how you prevent tampering or unauthorized viewing of sensitive log data (which often contains PII or credentials in error traces).

Apply least-privilege access to your logging infrastructure:

  • Read access scoped by team or system ownership
  • Write/delete access restricted to a small, named group, ideally requiring approval workflows
  • Access to the logging platform itself logged as its own audit trail
# Example IAM policy snippet restricting log bucket writes
{
  "Effect": "Deny",
  "Action": ["s3:DeleteObject", "s3:PutBucketLifecycleConfiguration"],
  "Resource": "arn:aws:s3:::sg-audit-logs/*",
  "Condition": { "StringNotEquals": { "aws:PrincipalTag/team": "security-ops" } }
}

Step 6: Automate Alerting and Anomaly Detection

Collecting logs satisfies part of CC7, but SOC 2 also expects evidence that you actively monitor them. Configure alerts for the events that matter most:

  • Multiple failed authentication attempts followed by success
  • Privilege escalation or new admin role assignments outside change windows
  • Access from unexpected geographies or impossible-travel patterns
  • Logging pipeline failures (a gap in your own audit trail is itself a finding)

Route these alerts to a system with documented triage and response SLAs, and keep the alert-to-resolution history — auditors frequently sample specific alerts and ask you to walk through the response.

Step 7: Document, Test, and Rehearse for the Audit

Build a standing evidence package rather than assembling one reactively. This should include your logging architecture diagram, retention policy, sample log exports per control, access review records for the logging platform, and incident response tickets tied to alerts. Run an internal test quarterly: pick a control (say, "failed login monitoring"), pull real evidence, and confirm it would satisfy an auditor's sample request. Treating this as a recurring exercise — not a pre-audit fire drill — is what separates teams with a mature SOC 2 compliance checklist from those patching gaps under deadline pressure.

Troubleshooting and Verification

Even well-intentioned logging programs run into the same handful of issues. Check these before your audit fieldwork begins:

Gaps in coverage. Query your log aggregator for a 30-day window and confirm every in-scope system reported at least one event per day. Silent gaps (a host that stopped forwarding logs three months ago) are one of the most common findings.

Clock drift. Inconsistent timestamps across systems make correlating events across an audit trail SOC 2 reviewers can trust nearly impossible. Verify NTP synchronization across all logging sources:

timedatectl status | grep "NTP synchronized"

Orphaned retention exceptions. Search for any manually-created lifecycle rules or bucket policies that override your standard retention — these accumulate silently and are exactly what auditors probe for.

Alert fatigue leading to ignored signals. If your security team is muting alerts due to volume, your monitoring control is functionally not operating, even if the logs exist. Tune thresholds and confirm someone can produce a triage record for a sampled alert on demand.

Access review lag. Confirm quarterly access reviews for the logging platform itself are current — a stale review is a fast way to fail CC6 testing even when the underlying logs are solid.

How Safeguard Helps

Meeting SOC 2 audit logging requirements manually — stitching together cloud-native logging services, SIEM rules, retention policies, and access reviews — is exactly the kind of ongoing operational burden that causes controls to quietly decay between audits. Safeguard was built to close that gap for software supply chain and infrastructure security teams.

Safeguard continuously monitors your build, deployment, and access pipelines, capturing tamper-evident audit trails for the events SOC 2 auditors care about most: who touched production, what changed in your CI/CD pipeline, and which credentials or dependencies moved through your systems. Instead of manually mapping evidence to Trust Services Criteria before every audit cycle, teams using Safeguard get continuous, control-mapped evidence collection, automated retention enforcement, and real-time alerting on the anomalies that matter — false logins, unauthorized privilege changes, and pipeline tampering — so your SOC 2 logging controls stay audit-ready year-round instead of becoming a pre-audit scramble.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.