Link Search Menu Expand Document

Insufficient Logging

Play SecureFlag Play Labs on this vulnerability with SecureFlag!

  1. Insufficient Logging
    1. Description
    2. Impact
    3. Prevention
    4. Testing
    5. References

Description

Insufficient Logging and Monitoring is a broad vulnerability category that covers problems like poorly set up security tools, lack of proper configurations, and weak defensive tactics. This results in a failure to catch unusual activities or intrusions in an environment.

Many defense teams use tools like Security Information and Event Management (SIEM) systems to track and flag suspicious behavior, but these tools are ineffective if they aren’t properly configured. The issue has been a big one for a while, with Security Logging and Monitoring Failures being part of the OWASP Top 10 risks since 2017. Malicious actors know how to exploit the gaps in monitoring to evade detection and carry out their attacks.

What makes Security Logging and Monitoring Failures stand out in the OWASP Top 10 is that it’s not a direct vulnerability in the usual sense. Instead, it’s more about missing (or inadequately implemented) detection and response practices that, when combined, can lead to delays in identifying breaches or even a failure to detect them at all. This can make it harder to investigate issues once a breach happens.

One of the biggest challenges security teams face is that the sheer amount of logs generated can be overwhelming. Logs are spread across so many different components that monitoring them all effectively can feel unmanageable.

Having good logging and monitoring in place is crucial for any IT environment. Without it, it’s nearly impossible for an organization to keep track of its security.

Security Logging and Monitoring Failures happen when:

  • SIEM systems are misconfigured and can’t flag the right events.

  • Logs from applications, devices, or APIs aren’t monitored for unusual behavior.

  • Warnings that are generated just add confusion, instead of helping clarify potential threats.

  • Logs aren’t protected and can be tampered with or deleted by attackers.

  • Important events like logins or failed logins aren’t logged due to misconfigurations.

  • Logs are only stored locally, with no backup.

Impact

When logging and monitoring systems are set up and configured correctly, they can catch and stop suspicious activities more effectively. Most attacks start with reconnaissance and probing for vulnerabilities. If these activities aren’t caught early due to insufficient logging and monitoring, the chances of halting the attack are slim and increase the risk of exploitation.

In 2024, the average time it took to realize a breach had occurred was 194 days. This highlights how poorly implemented logging and monitoring can allow threats to go unnoticed and make any post-breach investigation much harder.

Prevention

Security teams often have to make tough calls on which systems need the most protection. Generally speaking, the more valuable the data, the more effort should go into logging and monitoring to catch potential threats. But logging just for the sake of logging isn’t the answer, as too many logs can be just as problematic.

Administrators should:

  • Log application errors, runtime issues, connectivity problems, file system errors, and any configuration changes.

  • Log server-side input validation issues, failed logins, and access control problems with enough details about the user.

  • Log sensitive activities like access to payment card data, key changes, and actions by admin users.

  • Work with different departments to ensure everyone is clear on the legal and compliance needs, like for PCI DSS, HIPAA, or Sarbanes-Oxley, and make sure the relevant logging and monitoring processes are in place.

  • Centralize logs in an auditable system with redundancy in place.

  • Make sure audit trails and security measures prevent log tampering.

  • Have an incident response plan in place that ensures logs can be accessed during a post-breach audit.

Testing

Check that the application’s logs are clear and easy to monitor, whether locally or through a remote system.

References

OWASP Top 10:2021 - Security Logging and Monitoring Failures

MITRE - CWE-778 Insufficient Logging


Table of contents