An
audit log records who did what and when — providing accountability, non-repudiation, and a forensic record for incident investigations and compliance.
Audit logs must be tamper-evident (stored centrally, signed). Key events to log: authentication attempts, privilege use, data access, config changes. Logs are useless without review.