OWASP Logging and Monitoring

Security Logging and Monitoring Failures is A09 in the OWASP Top 10. Without proper logging, an attack can run undetected for months. The average time to detect a breach — called dwell time — is over 200 days in many industries. Attackers use that time to steal data, establish persistence, and cover their tracks. Logging and monitoring cut that window down dramatically.

The Security Guard Analogy

A bank installs CCTV cameras but never records footage and has no guard watching the screens. A thief can walk in, take what they want, and leave — no alarm sounds, no footage exists, no one notices until the vault is empty at closing time. A bank with cameras, recording, motion alerts, and a watching guard detects the thief before they reach the vault. Logging is the recording; monitoring is the watching guard.

What Must Be Logged

  Authentication events:
  - Successful logins          (who, when, from where)
  - Failed login attempts      (account, IP, timestamp)
  - Logouts and session expiry

  Authorization events:
  - Access denied (403)        (user, resource, timestamp)
  - Privilege escalation attempts

  Input validation failures:
  - Rejected inputs            (could indicate injection probing)
  - File upload rejections

  Application errors:
  - Unhandled exceptions
  - Database errors            (generic to users, detailed in logs)

  Admin and high-value actions:
  - Account creation, deletion, role changes
  - Password reset requests
  - Configuration changes
  - Data exports

What Must Never Be Logged

  Passwords (even hashed)
  Full credit card numbers
  Social Security / national ID numbers
  Session tokens
  API keys and secrets
  Full request bodies containing sensitive form fields

Logs are often stored with weaker access controls than the main database. Logging sensitive data creates a second, less-protected copy of your most valuable information.

Log Quality: What Makes a Log Entry Useful

  Poor log entry:
  "Login failed"

  Good log entry:
  {
    "timestamp": "2024-11-15T14:32:11Z",
    "event":     "login_failure",
    "username":  "alice@example.com",
    "ip":        "203.0.113.45",
    "user_agent":"Mozilla/5.0 ...",
    "attempt":   7
  }

  The good entry answers: Who? When? From where? How many times?
  The poor entry answers nothing useful for investigation.

Monitoring: Turning Logs into Alerts

Logs alone do nothing. A monitoring system reads logs in real time and triggers alerts when patterns indicate an attack.

  Pattern                              Signal
  ──────────────────────────────────────────────────────
  100 failed logins on one account     Brute-force attack
  in 2 minutes from the same IP

  50 different accounts fail login     Credential stuffing attack
  from the same IP in 10 minutes

  User gets 200 access-denied (403)    IDOR enumeration attempt
  responses in 5 minutes

  Admin action at 3:00 AM from an      Compromised admin account
  IP in a foreign country              or insider threat

  500 requests per second on one URL   Denial of service attempt

The Cost of No Logging: A Breach Timeline

  Day 1:   Attacker gains initial access via stolen credentials
  Day 3:   Attacker enumerates the user database (50,000 403 errors — unnoticed)
  Day 10:  Attacker begins exfiltrating data in small chunks daily
  Day 60:  Attacker has copied all customer data
  Day 190: Company discovers the breach (customer reports fraud)
  Day 195: Forensic investigation begins — no logs exist for the first 60 days
           Scope of breach cannot be determined
           Regulators fine the company for inadequate monitoring

Log Storage and Protection

Store Logs Separately from the Application

If an attacker compromises the application server, they should not be able to delete or modify the logs that record their actions. Send logs to a separate, write-only log storage system.

Retain Logs for an Appropriate Period

Regulations like GDPR, HIPAA, and PCI-DSS specify minimum log retention periods. Security investigations often need to look back 90 days or more. A common baseline is 12 months of log retention.

Protect Log Integrity

Use append-only storage for logs so they cannot be edited after the fact. Some systems use cryptographic chaining so any tampering with a log entry is detectable.

Tools for Logging and Monitoring

  Log aggregation:
  ELK Stack (Elasticsearch, Logstash, Kibana)
  Splunk
  Graylog
  AWS CloudWatch Logs

  SIEM (Security Information and Event Management):
  Microsoft Sentinel
  IBM QRadar
  Sumo Logic
  -- These correlate events across systems and generate alerts

OWASP Logging Cheat Sheet Key Points

The OWASP Logging Cheat Sheet recommends using a consistent, structured log format (such as JSON) across all services. Each entry should include a unique event ID, severity level, timestamp in UTC, source IP, user identifier, and a description that is human-readable without revealing sensitive data.

Quick Prevention Checklist

  [✓] Log all authentication events with IP and timestamp
  [✓] Log all access-denied responses
  [✓] Never log passwords, tokens, or card numbers
  [✓] Use structured log format (JSON) across all services
  [✓] Send logs to a separate, tamper-resistant store
  [✓] Set up automated alerts for attack-pattern signatures
  [✓] Define and test an incident response process

Key Takeaway

Logging and monitoring are your early warning system. Without them, attacks run undetected for months. Structured logs sent to a separate monitoring system — with real-time alerting on attack patterns — cut dwell time from months to hours.

Previous lessons
Back to courses
Next lessons

Leave a Comment