100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Security

Security Logging and Monitoring

Learn why insufficient logging and monitoring lets breaches go undetected for months, and how to build effective detection and response capability.

Data & DependenciesIntermediate8 min readJul 10, 2026
Analogies

Why Logging and Monitoring Failures Matter

Security logging and monitoring failures occur when an application doesn't generate enough security-relevant audit trail (failed logins, access control failures, high-value transactions), when logs are generated but never actually reviewed or alerted on, or when logs themselves are stored insecurely and can be tampered with or deleted by an attacker covering their tracks. This category consistently correlates with breach severity in industry reports like the Verizon Data Breach Investigations Report, because the median time to detect a breach without adequate monitoring has historically stretched into months, giving attackers ample time to move laterally, escalate privileges, and exfiltrate data long before anyone notices anything is wrong.

🏏

Cricket analogy: It is like a stadium running dozens of security cameras that record footage nobody ever reviews unless there's already a known incident, so a pickpocket working the stands for months goes completely unnoticed.

What to Log and How to Protect the Logs Themselves

Effective logging captures authentication events (successes and, especially, failures, with enough context to spot credential stuffing or brute-force patterns), access control decisions (both allowed and denied), input validation failures that suggest probing, and high-value business transactions, all timestamped consistently (UTC), including enough context (user ID, source IP, request ID) to reconstruct an incident without capturing sensitive data itself in plaintext (passwords, full card numbers, tokens) that would just create a second sensitive-data-exposure problem. Because attackers who gain a foothold often try to cover their tracks, logs must be shipped immediately to a separate, append-only or write-once storage system (a centralized SIEM or log aggregation service) that the compromised application server has no ability to modify or delete from, ensuring the audit trail survives even if the source system is fully compromised.

🏏

Cricket analogy: Shipping logs to a separate append-only system immediately is like a match being simultaneously recorded by an independent broadcaster's feed, so even if someone destroys the stadium's own recording, the independent copy survives untouched.

From Logs to Detection: Alerting and Response

Logs alone don't prevent anything; the value comes from active monitoring — automated alerting rules that fire on suspicious patterns (impossible-travel logins, a spike in 403s from one IP, privilege escalation events, unusual data export volumes) routed to a team that actually reviews and triages them, ideally supported by a documented incident response plan with clear escalation paths so a genuine alert doesn't sit in an inbox for days. Mature organizations run these detections through a SIEM or SOAR platform, tune alert thresholds continuously to reduce false-positive fatigue (which causes real alerts to get ignored, exactly what happened before the 2013 Target breach was fully exploited despite an alert having fired), and periodically test detection coverage with red-team exercises or purple-team simulations that intentionally trigger the alerts to confirm the pipeline actually works end to end.

🏏

Cricket analogy: It is like a ground's security team not just having cameras but a dedicated control room actively watching feeds and a radio protocol to immediately alert stewards, rather than footage that's only reviewed after something already went wrong.

javascript
// Structured, context-rich security event logging (no sensitive data in plaintext)
function logSecurityEvent(eventType, req, details = {}) {
  logger.info({
    timestamp: new Date().toISOString(), // consistent UTC timestamp
    eventType,                            // e.g. 'AUTH_FAILURE', 'ACCESS_DENIED'
    userId: req.user ? req.user.id : null,
    sourceIp: req.headers['x-forwarded-for'] || req.ip,
    requestId: req.id,
    path: req.path,
    ...details,                           // never include passwords/tokens/full PANs here
  });
}

// Example usage during a failed login
app.post('/login', async (req, res) => {
  const user = await authenticate(req.body.email, req.body.password);
  if (!user) {
    logSecurityEvent('AUTH_FAILURE', req, { email: req.body.email });
    return res.status(401).json({ error: 'Invalid credentials' });
  }
  logSecurityEvent('AUTH_SUCCESS', req, { userId: user.id });
  res.json({ token: issueSessionToken(user) });
});

Never log sensitive data in plaintext — full passwords, session tokens, complete credit card numbers, or API keys — inside application or access logs. A log aggregation system with broad internal read access effectively becomes a second, often overlooked, sensitive-data-exposure surface if this rule is violated.

The median time-to-detect a breach without adequate monitoring has historically been measured in months rather than days across multiple industry breach reports, which is precisely the gap that centralized logging, automated alerting, and a rehearsed incident response plan are designed to close.

  • Insufficient logging and monitoring lets breaches persist undetected for extended periods, giving attackers time to escalate and exfiltrate.
  • Log authentication events, access control decisions, and high-value transactions with consistent UTC timestamps and enough context to reconstruct incidents.
  • Never log sensitive data (passwords, tokens, full card numbers) in plaintext within logs.
  • Ship logs immediately to a separate, append-only/write-once system so a compromised source server can't tamper with the audit trail.
  • Alerting rules must route to a team that actually reviews and triages them, not just an unread inbox.
  • Continuously tune alert thresholds to avoid false-positive fatigue, which caused a real alert to be missed before the Target breach.
  • Periodically test detection coverage with red-team/purple-team exercises to confirm the full logging-to-response pipeline works.

Practice what you learned

Was this page helpful?

Topics covered

#Security#WebSecurityOWASPStudyNotes#CyberSecurity#SecurityLoggingAndMonitoring#Logging#Monitoring#Failures#Matter#StudyNotes#SkillVeris