Quiz Entry - updated: 2026.06.25
What does OWASP A10 (Insufficient Logging & Monitoring) look like, and what should be done about it?
Critical events aren't logged, logs aren't centralised, logs aren't protected, and nobody actually looks at them. Fix: log all critical events, centralise, alert on anomalies, review regularly.
Typical failures:
- Important events (logins, failed logins, credential changes, transactions) aren't logged at all.
- Errors generate no clear log message — debugging an incident is impossible.
- No central log system — each box has its own logs, no correlation across machines.
- Logs not protected — attackers can modify or delete them to cover their tracks.
- Logs never reviewed — they accumulate but no one looks.
- Suspicious events trigger no alarm — the SIEM is muted or never alerts.
Counter-measures:
- Log all critical events in a structured, queryable way (Login attempts, privilege changes, sensitive data access, admin actions).
- Use a central log system with append-only storage (SIEM, ELK, Splunk).
- Automated alerting on anomalous patterns (sudden burst of failed logins, unusual times, geographic anomalies).
- Regular human review of logs — even with alerting, periodic eyes-on prevents drift.
Why this is a top-10 OWASP issue: logging itself doesn't prevent attacks, but it makes incidents detectable and forensically reconstructible. Without good logs, you can be breached for months and have no idea.