Definition
An audit trail is an append-only chronological record of the events that changed a system's state — each entry carrying enough information (timestamp, actor, action, before and after values, correlation id) that the entire history of state evolution can be reconstructed after the fact. The defining property is that the log cannot be silently overwritten; corrections appear as new entries, not as edits to old ones.
The pattern originates in financial accounting, where the inability to alter a posted entry is what gives a ledger its evidentiary value. It has since become the standard reliability tool in any domain where the question "how did the system get into this state?" must be answerable hours, days, or years after the fact — regulated industries, distributed systems, security forensics, and any application that touches money.
Why it matters
How it works
A useful audit trail is more than a pile of log lines. Each entry should carry a monotonic ordering key (timestamp plus sequence number to break ties), an actor identifier (which user, service, or scheduled job initiated the change), the action taken, the affected entity, and ideally both the prior and resulting state — or enough information to recompute them. Correlation identifiers thread entries together across services so that a single business event (a trade, a payment, a registration) can be traced through every microservice it touched.
Storage typically tiers by access frequency: hot indexed entries in a queryable store for ongoing operations, warm entries in compressed object storage for occasional investigations, and cold entries in immutable archives for regulatory retention. The hardest engineering problem is usually integrity: if an attacker or a buggy migration can rewrite the trail, the trail loses its evidentiary value. Defences include hash chains (each entry's hash incorporates the previous), write-once storage (WORM-mode object stores or append-only databases), and external timestamping or anchoring of periodic checkpoints. The audit trail itself must be more trustworthy than the systems it audits, or it is decoration rather than evidence.