Audit functions are not only good for troubleshooting a system but also for analyzing logs that can help uncover malicious activity in the form of insider breaches or outsider intrusions. In an investigation, audit logs help verify whether the security policy was adhered to and how an employee may have been involved in a security violation. All root and administrator activities should also be logged, and the size of all logs kept to a manageable size. Actions that should be logged include user-level events, application-level events, and system-level events.