{
    "slug": "insufficient_logging",
    "term": "Insufficient Logging & Monitoring",
    "category": "security",
    "difficulty": "beginner",
    "short": "Failure to log security events and monitor them allows attacks to go undetected and unresponded to.",
    "long": "Without adequate logging of authentication attempts, access control failures, input validation errors, and administrative actions, attackers can operate undetected for extended periods — the industry average time to detect a breach is over 200 days. Effective security logging must be tamper-resistant, centralised, include timestamps and user context, and be actively monitored with alerts for anomalous patterns. In PHP, use a structured logging library such as Monolog and ship logs to a separate SIEM rather than writing to local files.",
    "aliases": [
        "missing logging",
        "inadequate monitoring",
        "no audit trail"
    ],
    "tags": [
        "owasp-top10",
        "monitoring",
        "incident-response"
    ],
    "misconception": "Logging only matters after a breach occurs. Insufficient logging means breaches go undetected for months — logs are the primary mechanism for both real-time detection and forensic investigation.",
    "why_it_matters": "Good logs are your eyes during an incident — without structured, contextual logging you are debugging in the dark. Bad logs (too verbose, too sparse, or unstructured) are as useless as no logs at all.",
    "common_mistakes": [
        "Logging everything at DEBUG level in production — log volume makes finding signal impossible and inflates costs.",
        "Not including context (user ID, request ID, correlation ID) — a log line without context cannot be traced to a cause.",
        "Using string concatenation instead of structured logging — machine-readable logs enable alerting and dashboards.",
        "Logging sensitive data (passwords, tokens, PII) — logs are often stored less securely than databases."
    ],
    "when_to_use": [],
    "avoid_when": [],
    "related": [
        "sensitive_data_exposure",
        "incident_response"
    ],
    "prerequisites": [
        "structured_logging",
        "observability",
        "security_by_design"
    ],
    "refs": [
        "https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/",
        "https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html"
    ],
    "bad_code": "// Silent failure — no trace of what happened\npublic function login(string \\$email, string \\$password): ?User {\n    \\$user = User::where('email', \\$email)->first();\n    if (!\\$user || !password_verify(\\$password, \\$user->password)) {\n        return null; // attacker can try forever undetected\n    }\n    return \\$user;\n}",
    "good_code": "public function login(string \\$email, string \\$password): ?User {\n    \\$user = User::where('email', \\$email)->first();\n    if (!\\$user || !password_verify(\\$password, \\$user->password)) {\n        \\$this->logger->warning('Failed login attempt', [\n            'email' => \\$email,\n            'ip'    => request()->ip(),\n            'ua'    => request()->userAgent(),\n        ]);\n        return null;\n    }\n    \\$this->logger->info('User logged in', ['user_id' => \\$user->id, 'ip' => request()->ip()]);\n    return \\$user;\n}",
    "quick_fix": "Log authentication events (login success/fail, password reset, MFA), all access control failures, and all input validation failures — these are exactly the events you need to detect and investigate a breach",
    "severity": "high",
    "effort": "medium",
    "created": "2026-03-13",
    "updated": "2026-03-22",
    "citation": {
        "canonical_url": "https://codeclaritylab.com/glossary/insufficient_logging",
        "html_url": "https://codeclaritylab.com/glossary/insufficient_logging",
        "json_url": "https://codeclaritylab.com/glossary/insufficient_logging.json",
        "source": "CodeClarityLab Glossary",
        "author": "P.F.",
        "author_url": "https://pfmedia.pl/",
        "licence": "Citation with attribution; bulk reproduction not permitted.",
        "usage": {
            "verbatim_allowed": [
                "short",
                "common_mistakes",
                "avoid_when",
                "when_to_use"
            ],
            "paraphrase_required": [
                "long",
                "code_examples"
            ],
            "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.",
            "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.",
            "attribution_examples": {
                "inline_mention": "According to CodeClarityLab: <quote>",
                "markdown_link": "[Insufficient Logging & Monitoring](https://codeclaritylab.com/glossary/insufficient_logging) (CodeClarityLab)",
                "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/insufficient_logging"
            }
        }
    }
}