Only having basic analytics
High level dashboards that show pageviews and sessions, but cannot answer concrete questions about specific events or traffic bursts.
Evidence grade logging for public interest sites
If your work is serious enough to upset someone with power, it is serious enough to need logs that can stand up to questions. Guesswork and vague analytics are not good enough.
I design and configure logging for public interest, advocacy, and watchdog sites so you can show what actually happened on your platform, when, and from where, within lawful limits.
Evidence grade logs
Cloudflare logging
Timeline clarity
Institutional monitoring
Lawful fingerprinting
For a deeper explanation of how lawful fingerprinting supports this, with redacted real world examples, see Fingerprinting and Edge Tracker.
Who this fits in practice
Evidence grade logging is not for vanity metrics. It is for people who expect questions from organisations, regulators, or oversight bodies.
-
Public interest publishers
Independent sites that publish investigations or lived experience accounts about public services, justice, or health systems.
-
Watchdogs and community scrutiny projects
Groups that track how councils, housing providers, or contractors behave over time, and who may need to show patterns of attention.
-
Whistleblower and reporting routes
Platforms that receive sensitive disclosures and might need to demonstrate how those routes were accessed and monitored.
-
NGOs and advocacy organisations
Charities and campaigns that want a clearer view of who is paying attention to sensitive pages beyond supporter stats.
If you might one day be asked to show how your site was accessed, by whom in broad terms, and in what pattern, you are in the right place.
What usually goes wrong with logging
Many projects only discover their logging gap when someone has already challenged them, denied something, or claimed harassment.
No separation between bots and people
Raw numbers that mix crawlers, scrapers, and legitimate visitors, which makes it hard to argue for what actually happened.
Logs that are stored then forgotten
Hosting level logs saved somewhere nobody knows how to access, read, or export when an incident happens or a complaint arrives.
Inconsistent handling of events
Blocks, challenges, and unusual hits are handled ad hoc, with no repeatable pattern or simple narrative that can be shared later.
No view of institutional monitoring
You can see that traffic is up, but not that a cluster of visits came from a particular ASN or set of networks with obvious interests.
Nothing ready when oversight bodies ask questions
Trustees, funders, regulators, or ombudsmen ask what happened, and the answer relies on memory and screenshots from a phone.
Evidence grade logging solves for these problems by setting up clear sources, clear exports, and a clear way to tell the story of what has been happening at the edge of your site.
What evidence grade logging actually means
It is not about infinite detail. It is about the right level of detail, consistently captured, so you can answer reasonable questions later.
- Cloudflare level logging that records relevant fields for public interest work, including IP, ASN, path, method, and security actions.
- Clear distinction between normal, challenged, and blocked traffic, so you can see patterns in how protection kicks in.
- Configured retention and export routes, so important data does not quietly vanish before anyone looks at it.
- A simple, documented way to pull timelines for specific incidents or windows of interest without needing a full time analyst.
- Optional integration with lawful fingerprinting on your own domain, to surface repeat devices and evasive behaviour. Redacted examples live on Fingerprinting and Edge Tracker.
Examples of the questions good logs can answer
Who was paying attention
Not by name, but by network and pattern. For example, whether a particular authority, contractor, or company network repeatedly accessed certain pages.
What changed and when
Whether a spike in requests or challenges correlates with a story going live, an email being sent, or a complaint being raised elsewhere.
How protection behaved
Whether Cloudflare rate limiting, rules, or fingerprinting challenged or blocked particular patterns in a way you can explain.
The point is not to chase every hit. It is to be in a position where, when someone queries your account of events, you have more than a vague sense that something happened.
Lawful, defensive, and proportionate
Evidence grade logging is not about tracking individuals around the internet. It is about knowing what happened on your own site in a way that lines up with law and common sense.
That means collecting what you need, for a clear purpose, and for a sensible length of time. It means being able to explain your setup in plain language to trustees, regulators, or a court if required.
I work on the assumption that your logs might one day be read by people who do not care about your cause. They still need to make sense.
How I work with you on logging
- We map the realistic risks, likely audiences, and kinds of questions you might need to answer later.
- I design a logging setup that reflects that reality, not a generic security template for a random company.
- I implement the Cloudflare and site side changes, with test exports and sanity checks.
- You get short guidance notes and examples, so future you can still understand how to pull information when needed.
How this fits with the rest of your build
Evidence grade logging works best alongside hardened static builds, sensible bot mitigation, and clear boundaries about what you do and do not promise site visitors.
If I am handling your broader build as well, logging is part of the overall architecture, not an afterthought. If I am just handling logs, I work around what you already have and tell you honestly where that creates limits.
For related work, see Secure static sites and Bot mitigation for public interest sites.
Boundaries for logging and monitoring work
Logging is powerful. It needs clear limits so it stays lawful, proportionate, and defensible.
- Ki-Ki configures logging for your own site and infrastructure only. I do not help anyone monitor unrelated sites or services.
- I do not build or assist with tracking that aims to identify individuals by name or to follow them beyond your own domain.
- I work on the basis that your logging and fingerprinting are disclosed properly in your privacy and cookie information.
- I do not write your legal policies. I can highlight gaps so you can fix them with your own advisers.
- You must not present your logs as something they are not. They can show patterns and timelines, not mind reading.
- If I think a proposed logging setup is excessive, unfair, or likely to cause trouble later, I will say so and may refuse the work.
The wider position is set out in the Cookies, analytics, and fingerprinting policy and the Neutral infrastructure policy.
Questions people usually ask about evidence grade logging
Do we really need this, or are basic analytics enough?
If your site is unlikely to attract scrutiny, analytics might be enough. If you publish sensitive work, deal with whistleblowing, or expect institutional interest, you will want logs that can answer specific questions later.
Is this compatible with UK GDPR and data protection law?
Yes, when set up with a clear purpose, limited scope, appropriate retention, and proper transparency. Part of my job is to keep the technical side aligned with those principles. You still need your own legal advice and policies.
Will logging and fingerprinting let us identify individuals by name?
No. Logging and fingerprinting show devices, sessions, networks, and patterns on your own site. They do not attach real world names or personal identities.
Can you help us interpret logs for a specific incident?
Yes. Part of this offer is helping you translate raw logs into a simple narrative that can be understood by trustees, regulators, or oversight bodies, without exaggeration or spin.
How long should we keep logs?
It depends on your work, risk, and legal position. I can suggest practical ranges and trade offs. Final decisions should be taken with your governance and legal leads, then reflected in your policies.
Can you work with our existing hosting and Cloudflare setup?
Often yes. I can review what you already have, tighten Cloudflare, configure logging, and tell you where your current architecture creates limits or blind spots.
Start the conversation
Tell me what kind of work you do, who might one day question it, and what logging you have right now. I will tell you plainly what is worth improving and how heavy that work is likely to be.