Security Related Log Events
The following is a brief list of security related events that applications should log:
- All login attempts, successful or unsuccessful
- Log outs
- Password changes
- Changes to a user's profile
- Password reset attempts
- User registration
- Authorization failures (when a user is denied access to a particular resource)
- Changes to access levels (when a user has a new access level granted or revoked)
- Significant input validation failures (such as unexpected values received from a dropdown list)
- System administration activity
- Integrity events (changes to data)
- Availability events (system startup and shutdown)
- Any other sensitive operations
What constitutes a sensitive operation will vary depending on the application. For example, a banking application should log account accesses and money transfers, while a file sharing application will need to log file uploads and downloads.
- UTC time and date
- event description
- outcome of event (success or failure)
- user information or technical account info
There are also data that explicitly should not be logged, like privacy sensitive data.
See also : [https://www.owasp.org/index.php/Logging_Cheat_Sheet OWASP Logging Cheat Sheet]
[https://cwe.mitre.org/data/definitions/778.html] [https://cwe.mitre.org/data/definitions/532.html] [https://cwe.mitre.org/data/definitions/779.html] [https://cwe.mitre.org/data/definitions/117.html] [https://cwe.mitre.org/data/definitions/534.html] [https://cwe.mitre.org/data/definitions/533.html]