By using centralized logging logs are protected against unauthorized modification.
Risk: Local stored system logs can be unauthorized manipulated by attackers or might be corrupt after an incident. In addition, it is hard to perform a aggregation of logs.
Implement logging of security relevant events. The following events tend to be security relevant:
Risk: No track of security-relevant events makes it harder to analyze an incident. Security incident analysis takes significantly less time with proper security events, such that an attack can be stopped before the attacker reaches his goal.
Protocols are visualized in a simple to use real time monitoring system. The GUI gives the ability to search for special attributes in the protocol.
Risk: System and application protocols are not visualized properly which leads to no or very limited logging assessment. Specially developers might have difficulty to read applications logs with unusually tools like the Linux tool 'cat'
A centralized logging system is used and applications logs (including application exceptions) are shipped to it.
Risk: Local stored logs can be unauthorized manipulated by attackers with system access or might be corrupt after an incident. In addition, it is hard to perform an correlation of logs. This leads attacks, which can be performed silently.
Events are correlated on one system. For example the correlation and visualization of failed login attempts combined with successful login attempts.
Risk: Detection of security related events with hints on different systems/tools/metrics is not possible.
A concept how to log PII is documented and applied.
Risk: Personal identifiable information (PII) is logged and the privacy law (e.g. General Data Protection Regulation) is not followed.