10/3/2025 • 4 min read
Logging Failures: OWASP Top 10 Explained
Estimated reading time: ~8 minutes
The Problem
The average breach takes 277 days to detect. Why? Missing logs and weak monitoring.
Without proper logging and monitoring, attacks can go undetected for months, allowing attackers to establish persistence and cause maximum damage. This is why Security Logging and Monitoring Failures is a critical category in the OWASP Top 10.
What It Is
Failing to log, monitor, and alert on suspicious activity. This includes:
- Insufficient Logging: Not capturing important security events
- Poor Log Quality: Logs that don't contain useful information
- No Monitoring: Lack of automated analysis and alerting
- Log Tampering: Inability to detect or prevent log modification
Types of Logging Failures
- Missing Security Events: Not logging authentication, authorization, or data access
- Inadequate Detail: Logs lack context needed for investigation
- No Centralization: Logs scattered across systems without aggregation
- Missing Alerts: No automated detection of suspicious patterns
Examples
1. No Alerts for Repeated Login Failures
Problem: Failed login attempts not monitored or alerted Impact: Brute-force attacks go undetected Example: 100+ failed logins from same IP without notification
Related: This connects to Authentication Failures — without monitoring, weak authentication goes undetected.
2. No Audit Trail for Privilege Changes
Problem: Administrative actions not logged Impact: Privilege escalation attacks go unnoticed Example: User promoted to admin without logging who made the change
3. Missing Data Access Logs
Problem: No logging of sensitive data access Impact: Data breaches go undetected Example: Database queries for customer PII not logged
4. Inadequate Error Logging
Problem: Generic error messages without context Impact: Security issues masked as application errors Example: "Error 500" instead of "SQL injection attempt detected"
5. No Network Traffic Monitoring
Problem: Unusual network patterns not detected Impact: Data exfiltration goes unnoticed Example: Large data transfers to external IPs not monitored
Why It Matters
Detection is Critical for Response
- Early Warning: Logs provide first indication of security incidents
- Investigation: Detailed logs essential for forensic analysis
- Compliance: Many regulations require comprehensive logging
- Continuous Monitoring: Real-time detection of ongoing attacks
Business Impact
- Extended Breaches: Longer detection times mean more damage
- Compliance Violations: GDPR, PCI DSS, HIPAA require logging
- Legal Liability: Inadequate logging can affect legal proceedings
- Reputation Damage: Public disclosure of undetected breaches
How to Prevent It
1. Centralize Logs (ELK, Splunk)
# Example: ELK Stack configuration
elasticsearch:
hosts: ["elasticsearch:9200"]
logstash:
input:
beats:
port: 5044
filter:
if [fields][log_type] == "security" {
mutate {
add_tag => ["security"]
}
}
output:
elasticsearch:
hosts: ["elasticsearch:9200"]
2. Monitor Authentication Events
// Example: Authentication logging
const winston = require('winston');
const logger = winston.createLogger({
level: 'info',
format: winston.format.combine(
winston.format.timestamp(),
winston.format.json()
),
transports: [
new winston.transports.File({ filename: 'auth.log' })
]
});
function logAuthenticationAttempt(userId, success, ip, userAgent) {
logger.info('Authentication attempt', {
userId,
success,
ip,
userAgent,
timestamp: new Date().toISOString()
});
}
3. Add Anomaly Detection
# Example: Anomaly detection for login patterns
import pandas as pd
from sklearn.ensemble import IsolationForest
def detect_login_anomalies(login_data):
# Features: time_of_day, day_of_week, ip_location, device_type
features = ['hour', 'day_of_week', 'country_code', 'device_type']
model = IsolationForest(contamination=0.1)
anomalies = model.fit_predict(login_data[features])
return login_data[anomalies == -1]
4. Implement Security Information and Event Management (SIEM)
# Example: SIEM rule for suspicious activity
rule: "Multiple Failed Logins"
description: "Detect multiple failed login attempts"
condition: |
event_type == "authentication_failure" AND
count(event_type == "authentication_failure" BY user_id, ip_address) > 5
action: "alert_security_team"
5. Log Sensitive Operations
// Example: Sensitive operation logging
function logSensitiveOperation(operation, userId, resource, details) {
const logEntry = {
timestamp: new Date().toISOString(),
operation,
userId,
resource,
details,
severity: 'HIGH',
category: 'SENSITIVE_OPERATION'
};
securityLogger.info(logEntry);
// Send alert for critical operations
if (operation === 'DELETE_USER' || operation === 'GRANT_ADMIN') {
alertSecurityTeam(logEntry);
}
}
6. Protect Log Integrity
# Example: Log integrity protection
# Use log signing and tamper detection
gpg --armor --detach-sign /var/log/auth.log
gpg --verify /var/log/auth.log.asc /var/log/auth.log
# Use immutable log files
chattr +i /var/log/security.log
7. Regular Log Review and Analysis
- Automated Analysis: Use machine learning for pattern detection
- Manual Review: Regular human review of security logs
- Trend Analysis: Identify patterns over time
- Incident Correlation: Connect related security events
Tools
- ELK Stack: Elasticsearch, Logstash, Kibana for log management
- Splunk: Enterprise security information and event management
- Winston: Node.js logging library
- Log4j: Java logging framework
- Rafter: Security scanning and monitoring
- OSSEC: Open-source host-based intrusion detection
Conclusion
If you can't see it, you can't stop it. Implement comprehensive logging, centralized monitoring, and automated alerting to detect security incidents quickly.
Next Steps:
- Audit your current logging and monitoring setup
- Implement centralized logging and SIEM
- Set up automated security alerts
- Run a Rafter scan to identify logging gaps in your application