LOGBOOK

HELP

Quiz Entry - updated: 2026.06.25

What does OWASP A10 (Insufficient Logging & Monitoring) look like, and what should be done about it?

Critical events aren't logged, logs aren't centralised, logs aren't protected, and nobody actually looks at them. Fix: log all critical events, centralise, alert on anomalies, review regularly.

Typical failures:

  • Important events (logins, failed logins, credential changes, transactions) aren't logged at all.
  • Errors generate no clear log message — debugging an incident is impossible.
  • No central log system — each box has its own logs, no correlation across machines.
  • Logs not protected — attackers can modify or delete them to cover their tracks.
  • Logs never reviewed — they accumulate but no one looks.
  • Suspicious events trigger no alarm — the SIEM is muted or never alerts.

Counter-measures:

  • Log all critical events in a structured, queryable way (Login attempts, privilege changes, sensitive data access, admin actions).
  • Use a central log system with append-only storage (SIEM, ELK, Splunk).
  • Automated alerting on anomalous patterns (sudden burst of failed logins, unusual times, geographic anomalies).
  • Regular human review of logs — even with alerting, periodic eyes-on prevents drift.

Why this is a top-10 OWASP issue: logging itself doesn't prevent attacks, but it makes incidents detectable and forensically reconstructible. Without good logs, you can be breached for months and have no idea.

From Quiz: ISF / Access Control | Updated: Jun 25, 2026