ADR 007: Centralised Security Logging
Status: Accepted | Date: 2025-02-25
Context
Security logs should be centrally collected to support monitoring, detection, and response capabilities across workloads. Sensitive information logging must minimize to follow data protection regulations and reduce the risk of data breaches. Audit and authentication logs are critical for security monitoring and should collect by default.
- Open Web Application Security Project (OWASP) Logging Cheat Sheet
- Australian Cyber Security Centre (ACSC) Guidelines for system monitoring
- DGOV Technical Baseline for Detection Coverage (MITRE ATT&CK)
Decision
Use centralized logging using Microsoft Sentinel and Amazon CloudWatch.
- Configure default collection for audit and authentication logs to simplify security investigations.
- Container workloads should configure Container insights with enhanced observability + EKS control plane logging of audit and authentication logs by default.
- Logging should configure to avoid capturing and exposing Personally Identifiable Information (PII).
- Review and update logging configurations to ensure coverage and privacy requirements meet.
- Log information used during an investigation should extract and archive to an appropriate location (in alignment with record keeping requirements).
Consequences
Risks of not implementing:
- Decentralized logs may lead to delayed detection and response to security incidents.
- Increased risk of sensitive information exposure leading to potential data breaches and non-compliance with regulations.
- Incomplete audit trails may hinder forensic investigations and compliance audits.
Benefits:
- Improved incident detection and response times.
- Simplified compliance with data protection regulations.
- Centralized management of security logs, reducing operational overhead.