graphgrc

Logging and Monitoring Standard

Requirements for security logging, monitoring, and alerting.

Scope

All production systems, applications, infrastructure, and SaaS applications.

Log Requirements

What to Log

Application logs:

• Authentication events (login, logout, failed attempts)
• Authorization decisions (access granted/denied)
• Data access (read/write Confidential data)
• Configuration changes
• Error conditions and exceptions

Infrastructure logs:

• AWS CloudTrail (API calls)
• VPC Flow Logs (network traffic)
• Load balancer access logs
• DNS query logs
• Firewall/WAF logs

SaaS audit logs:

• User provisioning/deprovisioning
• Permission changes
• Admin actions
• Data export/download events

What NOT to Log

• Passwords, API keys, secrets, tokens
• Full credit card numbers, SSNs
• Customer PII unless necessary for audit (hash/redact)

Log Format

• Structured logging (JSON preferred)
• Required fields: timestamp (UTC), user/actor, action, resource, result (success/failure), source IP
• Include request/correlation ID for distributed tracing

Log Storage

Centralization

• All logs forwarded to centralized logging system (AWS CloudWatch, Datadog, Splunk)
• Real-time or near-real-time ingestion (< 5 minute delay)
• Separate log storage from source systems (immutability)

Retention

• Security logs: 1 year minimum (2 years for SOC 2)
• Audit logs (access to Confidential data): 2 years
• Infrastructure logs: 90 days
• Application logs (non-security): 30 days

Protection

• Logs encrypted at rest and in transit
• Access to logs restricted to security team, SRE, and authorized engineers
• Log tampering detection (integrity checking)

Monitoring and Alerting

Critical Security Events (Page immediately)

• Root account login (AWS)
• MFA disabled on privileged account
• Security group allows 0.0.0.0/0 on sensitive ports (RDP, SSH)
• IAM policy changes affecting production
• GuardDuty High/Critical findings
• Multiple failed authentication attempts (brute force)
• Unauthorized data access or export

Important Security Events (Alert in Slack)

• New user provisioned with admin privileges
• CloudTrail disabled
• S3 bucket made public
• Certificate expiring in < 30 days
• Vulnerability scanner findings (Critical/High)

Monitoring Coverage

• Infrastructure availability (uptime)
• Application performance (latency, errors)
• Security metrics (failed logins, policy violations)
• Compliance metrics (encryption enabled, patches applied)

Log Analysis

• Weekly review of security logs by security team
• Automated anomaly detection where possible
• Quarterly log review for compliance audit preparation

References

• Related controls: INF-03, OPS-03
• Related process: incident-response-process.md
• OWASP Logging Cheat Sheet

Control Mapping

• INF-03: Logging & Monitoring ^[CloudWatch centralized logging, 2-year audit log retention, GuardDuty alerts for critical events]
• OPS-03: Incident Response ^[Security event monitoring for detection, log collection for investigation]
• ACC-03: Access Reviews ^[Audit logs track authentication and authorization events for quarterly reviews]
• ACC-04: Privileged Access Management ^[CloudTrail logs all admin API calls, alerts on root account login and IAM policy changes]

---

Referenced By

This section is automatically generated by make generate-backlinks. Do not edit manually.

This site is open source. Improve this page.