Security teams can’t respond to attacks they don’t detect. Yet logging and monitoring receive inadequate attention until investigations reveal that critical security events went unrecorded or unnoticed. Organisations discover during incident response that logs they expected to exist were never configured or already deleted. Comprehensive logging costs money and generates data that requires storage, analysis, and retention. These costs seem unnecessary until breaches reveal that missing logs prevent understanding what attackers did, when they did it, and what data they accessed.
Critical Logging Failures
Many organisations log authentication success but not authentication failures. This means they record expected behaviour whilst missing signs of credential stuffing, password spraying, and brute force attacks. Logging failures matters more for security than logging success. Log retention periods often prove too short for incident investigations. Sophisticated attackers operate slowly over months. By the time organisations detect compromises, relevant logs have already been deleted. Insufficient retention converts logging from useful to worthless.
Expert Commentary
Name: William Fieldhouse
Title: Director of Aardwolf Security Ltd
Comments: “Incident response engagements frequently reveal logging gaps that prevent determining breach scope. Organisations can’t answer basic questions about what attackers accessed because relevant systems don’t log detailed activities or logs have already rotated off. This lack of visibility extends incident costs dramatically.”
Building Effective Logging
Identify what actually needs logging based on investigation requirements rather than logging everything indiscriminately. Focus on security-relevant events: authentication attempts, privilege escalations, data access, configuration changes, and system modifications. These events enable investigation whilst managing log volumes. Centralise logs immediately rather than leaving them on source systems. Attackers routinely delete local logs to cover tracks. Centralised logging sends security events to protected storage that attackers can’t easily modify. This resilience preserves evidence even when source systems are compromised.
Regular web application penetration testing should validate that security-relevant activities actually generate logs. Professional testing verifies logging configuration captures attacks rather than assuming configuration works as intended.
Implement monitoring that actually alerts on important events. Logging without monitoring just creates data warehouses nobody examines until incidents force retrospective investigation. Automated alerting enables proactive response rather than forensic analysis.
Working with the best penetration testing company includes assessment of whether logging and monitoring would actually detect the attacks performed during testing.
Logging and monitoring require viewing them as essential security capabilities rather than operational overhead. The visibility logs provide enables detection, investigation, and response that make security programmes effective rather than theoretical.
