# Security Logging and Monitoring Failures (A09:2021)

This category helps detect, escalate, and respond to active breaches. Without logging and monitoring, breaches cannot be detected.

## Overview

Previously Insufficient Logging & Monitoring. This category is expanded to include more types of failures, is challenging to test for, and isn't well represented in CVE/CVSS data.

## How Attackers Exploit This

### Undetected breach

Without proper logging, attackers can operate undetected for extended periods, exfiltrating data gradually.

**Detection signal:** This is the problem - without logging, there IS no indicator

### Log tampering

Attackers with access modify or delete logs to cover their tracks.

**Detection signal:** Gaps in log sequences, modified timestamps, missing entries

## How to Prevent

- Log all login, access control, and server-side input validation failures
- Ensure logs are in a format easily consumed by log management solutions
- Ensure log data is encoded correctly to prevent injection attacks
- Ensure high-value transactions have an audit trail with integrity controls
- Establish effective monitoring and alerting for suspicious activities
- Establish an incident response and recovery plan

## CWEs with Detection Rules (3)

- **CWE-117**: Improper Output Neutralization for Logs (4 rules) [go, javascript, typescript, python]
- **CWE-532**: Insertion of Sensitive Information into Log File (3 rules) [go, javascript, typescript, python]
- **CWE-778**: Insufficient Logging (3 rules) [javascript, typescript, python]

## Other Mapped CWEs (2)

- CWE-223: CWE-223
- CWE-779: CWE-779

## Quick Reference

- Total CWEs: 5
- With Shoulder rules: 3
- Detection rules: 10