Administrative audit logs should contain a timestamp, username, source IP address* (where applicable) and the function/action performed. Logs should be collected in a centralized log solution. For on-prem and CloudShield2 services, utilize HUIT SplunkCloud.

*In the case where load balancers are deployed, ensure that logs contain the actual source address of the client, and not of the load balancer.