Skip to content

Audit Logging

The FISMA Document Upload System maintains comprehensive audit logs of all user activities and system events as required for FISMA High Impact Level compliance.

Overview

What is Audit Logging?

Audit logging is the automatic recording of all security-relevant events in the system. Every action you take is recorded with:

  • Who: Your user account (email address)
  • What: The action performed
  • When: Precise timestamp (UTC)
  • Where: IP address and session information
  • How: Success or failure status
  • Why: Context and additional details

Purpose

Audit logs serve multiple purposes:

Security Monitoring: Detect unauthorized access attempts ✓ Compliance: Meet FISMA High audit requirements (AU-2, AU-3, AU-12) ✓ Forensics: Investigate security incidents ✓ Accountability: Track all user actions ✓ Troubleshooting: Diagnose technical issues

What Gets Logged?

Authentication Events

Every authentication-related action is logged:

  • Login attempts (successful and failed)
  • Logout events
  • MFA code requests
  • MFA code verification (successful and failed)
  • Passkey registrations
  • Passkey authentications
  • Passkey removals
  • Password reset requests
  • Password changes
  • Account lockouts (after failed attempts)
  • Session timeouts
  • Session extensions

Example log entries: 

[2025-11-30 14:32:15 UTC] LOGIN_SUCCESS user=attorney@example.com ip=192.0.2.45 session=abc123
[2025-11-30 14:32:20 UTC] MFA_CODE_SENT user=attorney@example.com
[2025-11-30 14:32:45 UTC] MFA_VERIFY_SUCCESS user=attorney@example.com
[2025-11-30 14:40:10 UTC] PASSKEY_AUTH_SUCCESS user=attorney@example.com device=YubiKey

File Upload Events

All document upload activities are logged:

  • Upload initiated
  • File metadata (name, size, type)
  • Case number provided
  • Encryption start/complete
  • Upload success/failure
  • Virus scan results
  • Transfer to MOVEit
  • Upload reference ID

Example log entries: 

[2025-11-30 14:45:00 UTC] UPLOAD_INITIATED user=attorney@example.com case=1-25-cv-12345-RSM file=sealed_motion.pdf size=2.4MB
[2025-11-30 14:45:03 UTC] FILE_ENCRYPTED upload_id=upload-2025-11-30-a1b2c3d4e5f6 algorithm=AES-256-CBC
[2025-11-30 14:45:05 UTC] VIRUS_SCAN_CLEAN upload_id=upload-2025-11-30-a1b2c3d4e5f6
[2025-11-30 14:45:07 UTC] UPLOAD_SUCCESS upload_id=upload-2025-11-30-a1b2c3d4e5f6 user=attorney@example.com
[2025-11-30 14:45:10 UTC] MOVEIT_TRANSFER_SUCCESS upload_id=upload-2025-11-30-a1b2c3d4e5f6

Account Management Events

User account changes are tracked:

  • Registration requests
  • Email verifications
  • Account activations
  • Profile updates (if applicable)
  • Account status changes

Example log entries: 

[2025-11-30 10:00:00 UTC] REGISTRATION_REQUEST email=attorney@example.com
[2025-11-30 10:02:30 UTC] EMAIL_VERIFIED email=attorney@example.com token=xyz789
[2025-11-30 10:02:31 UTC] ACCOUNT_ACTIVATED email=attorney@example.com

Security Events

Critical security events generate audit entries:

  • Failed login attempts (including wrong password, wrong MFA code)
  • Account lockouts
  • Suspicious activity detection
  • Password reset abuse attempts
  • Session hijacking attempts
  • Invalid token usage
  • Expired session access attempts

Example log entries: 

[2025-11-30 15:10:05 UTC] LOGIN_FAILED user=attorney@example.com reason=invalid_password attempt=1
[2025-11-30 15:10:20 UTC] LOGIN_FAILED user=attorney@example.com reason=invalid_password attempt=2
[2025-11-30 15:10:35 UTC] LOGIN_FAILED user=attorney@example.com reason=invalid_password attempt=3
[2025-11-30 15:10:35 UTC] ACCOUNT_LOCKED user=attorney@example.com reason=max_failed_attempts
[2025-11-30 15:10:36 UTC] SECURITY_ALERT_SENT user=attorney@example.com type=account_lockout

System Events

Background system activities are logged:

  • Session cleanup (expired sessions removed)
  • Database backups
  • Key rotation (encryption keys)
  • System maintenance
  • Configuration changes
  • Service starts/stops

Audit Log Details

Information Captured

Each audit log entry includes:

Field Description Example
Timestamp Exact date/time (UTC) 2025-11-30 14:32:15 UTC
Event Type Type of action LOGIN_SUCCESS
User Email address attorney@example.com
IP Address Source IP (anonymized for privacy) 192.0.2.45
Session ID Unique session identifier abc123def456
Result Success or failure SUCCESS
Details Additional context session_duration=8m34s
Reference ID Related transaction ID upload-2025-11-30-a1b2c3d4

Privacy Protections

What is NOT Logged

To protect attorney-client privilege and case confidentiality:

Document contents - Never logged or stored in audit trail ❌ Case details - Beyond case number, no case-specific information ❌ Passwords - Never logged (even failed attempts don't log the password) ❌ Document names - Filenames are hashed or redacted ❌ Personal identifiable information - Minimized and protected

Data Protection

Audit logs are:

  • Stored on secure, encrypted servers
  • Access restricted to authorized court personnel only
  • Retained according to federal records retention requirements
  • Protected with integrity controls (tamper-evident)
  • Backed up for disaster recovery

User Rights & Access

Can You Access Your Audit Logs?

Currently, attorneys do not have direct access to view their audit logs through the system interface.

However, you may request your audit log records by:

  1. Contacting the Clerk's Office in writing
  2. Providing specific date range you want records for
  3. Stating purpose of the request
  4. Allowing processing time (typically 5-10 business days)

Contact: ecfinfo@waed.uscourts.gov

Your Awareness

While you cannot view logs directly, you should be aware that:

✓ All your actions are recorded ✓ Logs are used for security and compliance ✓ Logs may be reviewed during security investigations ✓ Logs are retained for multiple years per federal policy

Compliance Standards

FISMA High Requirements

The audit logging system meets these NIST 800-53 controls:

  • AU-2: Audit Events - Comprehensive event logging
  • AU-3: Content of Audit Records - Detailed audit record content
  • AU-6: Audit Review, Analysis, and Reporting - Regular log review
  • AU-7: Audit Reduction and Report Generation - Log analysis tools
  • AU-8: Time Stamps - Synchronized UTC timestamps
  • AU-9: Protection of Audit Information - Log integrity and access controls
  • AU-11: Audit Record Retention - Long-term retention per federal policy
  • AU-12: Audit Generation - System-wide audit capability

Security Monitoring

Active Monitoring

The Court's IT security team actively monitors audit logs for:

⚠️ Suspicious patterns - Unusual access times or locations ⚠️ Failed authentication attempts - Possible unauthorized access attempts ⚠️ Account abuse - Excessive file uploads or downloads ⚠️ System anomalies - Unexpected errors or failures

Automated Alerts

Certain events trigger immediate security alerts:

  • Multiple failed login attempts (5+ in 15 minutes)
  • Account lockouts
  • Login from unusual IP address or location
  • Rapid-fire password reset requests
  • Large file upload failures (possible attack)

Security staff investigate these alerts within minutes to hours depending on severity.

Incident Response

If There's a Security Incident

In the event of a security incident involving your account:

  1. Notification: You'll be contacted by the Clerk's Office
  2. Investigation: Audit logs will be reviewed
  3. Actions: May include password reset, account restrictions, etc.
  4. Resolution: You'll be informed of findings and next steps

Reporting Suspicious Activity

If you suspect unauthorized access to your account:

  1. Change your password immediately
  2. Contact Clerk's Office: (509) 458-3410 or ecfinfo@waed.uscourts.gov
  3. Note any unusual activity: Login times, failed attempts, unexpected emails
  4. Preserve evidence: Don't delete suspicious emails

The audit logs will help investigate and determine if unauthorized access occurred.

Retention & Disposal

Retention Period

Audit logs are retained for:

  • Active logs: Minimum 3 years on primary systems
  • Archived logs: Minimum 7 years in secure archive
  • Critical incidents: Indefinite retention per legal hold

Retention meets federal court records requirements and FISMA compliance mandates.

Secure Disposal

When audit logs reach end-of-retention:

  • Logs are securely deleted using approved data destruction methods
  • Deletion is logged and verified
  • Backups are also securely destroyed
  • Chain of custody documented

Questions About Audit Logging?

For questions about audit logging, data retention, or to request your audit records:

Eastern District of Washington - Clerk's Office Phone: (509) 458-3410 Email: ecfinfo@waed.uscourts.gov Hours: Monday-Friday, 8:00 AM - 5:00 PM Pacific Time