The average breach detection time is 207 days. Without quality logging, an attacker operates invisibly.
What to Log¶
- Authentication events (login, failed login)
- Authorization failures (403)
- Permission and role changes
- Access to sensitive data
- System configuration changes
Structured Logging¶
import structlog log = structlog.get_logger() log.warning(“auth.failed_login”, username=username, ip=request.remote_addr, reason=”invalid_password”)
OWASP Top 10: Security Logging and Monitoring Failures¶
Alerting Rules¶
alerts: - name: brute_force_detected condition: “count(failed_login) > 10 in 5m WHERE same ip” severity: high action: block_ip + notify_security
Log Pipeline¶
Application → Fluentd/Vector → Elasticsearch/Loki → Grafana/Kibana → Alerting
- Centralize logs — never only on local disk
- Protect against tampering (append-only)
- Retention at least 90 days
- Regularly test alerting
Key Takeaway¶
Log all security events in a structured format. Centralize, monitor, alert.
owaspsecurityloggingmonitoring