Auditing is one of the main pillars of security policies. The question is how to do it wisely
The infrastructure can log almost everything. For example access to files, registry keys databases etc. The problem is that the infrastructure has no knowledge about the application use cases. It means that the context for these logs is missing.
Let us ask what is the purpose of auditing? The trivial reason is to collect information that will be useful in case of a problem, yet how do you know that there is a problem after all?
Auditing can help you identify that you are in an abnormal state and something is wrong.
To do that you have to be able to distinguish between normality and abnormality. The application knows its use cases. It knows their behavior patterns and so can identify that something is wrong. This is why only the application layer can perform smart security auditing.
Application logging and auditing is used to collect enough information to analyze the behavior of the application use cases and identify any abnormal situation, then the information collected with traditional logging is used to identify the problem and find the best action.