Audit

“Was the system configured securely?”

It is usually:

periodic
snapshot-based
compliance-driven
security-focused


## Examples:

world writable files
SUID/SGID checks
SSH hardening
kernel parameters
cron jobs
CIS benchmark checks


## Characteristics

State inspection

not 

live behaviour tracking

Monitoring

“Is the system healthy right now?”

Usually:

continuous
near real-time
alert-driven
operational


## Examples:


CPU usage
memory spikes
disk full
service down
port suddenly opened
suspicious process appears


## Monitoring Characteristics

Current state + alerts
Example
Port 4444 suddenly opened

This is monitoring.

Tracing

“What happened step-by-step?”

Usually:

request flow tracking
distributed systems
performance debugging

## Examples:

API request path
service latency chain
database slow query path

Example
Request hit nginx → app → DB → cache

This is tracing.

Logging

“What happened?”

Examples:

auth.log
syslog
application logs
auditd logs


## Example

sudo used by unexpected user


This is logging.

Compliance

“Do we satisfy required standards?”


## Examples:

CIS
PCI-DSS
SOC2
ISO27001
HIPAA
Example
CIS 5.2.8 passed?

This is compliance.

Observability

“Why is this happening?”

This is the umbrella concept.

Includes:

logs
metrics
traces
events
audit data

Observability = ability to understand unknown problems.


## Example

CPU spike + memfd + SSH login + new cron job

Now you can explain the incident.

That is observability.