Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.
Training Camp • Cybersecurity Glossary
Log records that cannot be altered or deleted once written, providing tamper-evident evidence for forensics, audit, and compliance.
Immutable Logs Definition: Log records that cannot be altered or deleted once written, providing tamper-evident evidence for forensics, audit, and compliance.
Immutable logs are log records that cannot be modified, overwritten, or deleted after they are written. This write-once property gives auditors and incident responders a trustworthy, tamper-evident record of system and user activity, which is essential for forensic investigation, non-repudiation, and demonstrating compliance.
Immutability is enforced through several mechanisms: write-once-read-many (WORM) storage, append-only data stores, object-storage object lock and legal holds (for example, Amazon S3 Object Lock in compliance mode), and cryptographic hash chaining where each entry includes a hash of the previous one so any alteration breaks the chain. Centralized log forwarding to a separate, access-restricted system prevents an attacker who compromises a host from rewriting that host's local logs. Digital signatures and trusted timestamps further bind records to a verifiable point in time.
For security, immutable logs are critical because attackers routinely attempt to cover their tracks by clearing event logs, editing entries, or disabling logging, an early step in many intrusions mapped to MITRE ATT&CK's Indicator Removal technique. If logs can be altered, they cannot be trusted as evidence in court or relied upon to reconstruct an attack. Regulations such as PCI DSS, HIPAA, and SOX require protected, retained audit trails, and immutability is how organizations meet that bar.
For example, after a breach a SOC pulls authentication logs to trace lateral movement. Because logs were shipped in real time to an append-only SIEM backed by WORM storage with hash chaining, investigators can prove the records were not tampered with even though the attacker deleted local Windows event logs on the compromised servers. The intact, verifiable timeline supports both remediation and potential legal action, something that would be impossible if only the mutable on-host logs existed.
Turn knowledge into credentials with our instructor-led cybersecurity boot camps.
View All Courses →