diff --git a/src/access.rs b/src/access.rs
index ce071a3..0d87576 100644
--- a/src/access.rs
+++ b/src/access.rs
@@ -1,6 +1,8 @@
 //! Access control logic
 //!
 
+use slog::Logger;
+
 use casbin::prelude::*;
 
 use super::config::Config;
@@ -13,19 +15,26 @@ use crate::error::Result;
 
 #[derive(Clone)]
 pub struct Permissions {
+    log: Logger,
     pdb: Mutable<Enforcer>,
     auth: Authentication,
 }
 
 impl Permissions {
-    pub fn new(pdb: Mutable<Enforcer>, auth: Authentication) -> Self {
-        Self { pdb, auth }
+    pub fn new(log: Logger, pdb: Mutable<Enforcer>, auth: Authentication) -> Self {
+        Self { log, pdb, auth }
     }
 
     pub fn enforce(&self, object: &str, action: &str) -> bool {
         if let Some(actor) = self.auth.get_authzid() {
-            self.pdb.lock_ref().enforce(vec![&actor,object,action]).unwrap()
+            trace!(self.log, "Checking permission {} for {} on {}", action, actor, object);
+            let r = self.pdb.lock_ref().enforce(vec![&actor,object,action]).unwrap();
+            if !r {
+                info!(self.log, "Failed permission {} for {} on {}", action, actor, object);
+            }
+            return r;
         } else {
+            info!(self.log, "Attempted anonymous access: {} on {}", action, object);
             false
         }
     }
diff --git a/src/machine.rs b/src/machine.rs
index 5eee400..edd6d90 100644
--- a/src/machine.rs
+++ b/src/machine.rs
@@ -64,11 +64,13 @@ impl api::machines::Server for Machines {
                 let mut b = results.get();
                 let mngr = api::machines::manage::ToClient::new(manager).into_client::<Server>();
                 b.set_manage(mngr);
+                trace!(self.log, "Granted manage on machine {}", uuid);
                 Promise::ok(())
             } else {
                 Promise::err(Error::failed("Permission denied".to_string()))
             }
         } else {
+            info!(self.log, "Attempted manage on invalid machine {}", uuid);
             Promise::err(Error::failed("No such machine".to_string()))
         }
     }
@@ -84,8 +86,10 @@ impl api::machines::Server for Machines {
 
         let mdb = self.mdb.lock_ref();
         if let Some(m) = mdb.get(&uuid) {
+            trace!(self.log, "Granted use on machine {}", uuid);
             Promise::ok(())
         } else {
+            info!(self.log, "Attempted use on invalid machine {}", uuid);
             Promise::err(Error::failed("No such machine".to_string()))
         }
     }
diff --git a/src/main.rs b/src/main.rs
index 56b1f26..81c4246 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -55,6 +55,8 @@ fn main() {
 
     let addr = args[1].to_socket_addrs().unwrap().next().expect("could not parse address");
 
+    let permlog = log.new(o!());
+    let machlog = log.new(o!());
 
     let spawner = exec.spawner();
     let result: Result<(), Box<dyn std::error::Error>> = exec.run_until(async move {
@@ -64,8 +66,8 @@ fn main() {
             let socket = socket?;
             // TODO: Prettify session handling
             let auth = auth::Authentication::new(authp.clone());
-            let perm = access::Permissions::new(enf.clone(), auth.clone());
-            let mach = machine::Machines::new(m.clone(), perm.clone());
+            let perm = access::Permissions::new(permlog.clone(), enf.clone(), auth.clone());
+            let mach = machine::Machines::new(machlog.clone(), m.clone(), perm.clone());
 
             let rpc_system = api::process_socket(auth, perm, mach, socket);
             spawner.spawn_local_obj(