ADR 007: Centralised Security Logging
Status: Accepted | Date: 2025-02-25
Context
Security logs should be centrally collected to support monitoring, detection, and response capabilities across workloads. Sensitive information logging must be minimised to follow data protection regulations and reduce the risk of data breaches. Audit and authentication logs are critical for security monitoring and should be collected by default.
- Open Web Application Security Project (OWASP) Logging Cheat Sheet
- Australian Cyber Security Centre (ACSC) Guidelines for system monitoring
- DGOV Technical Baseline for Detection Coverage (MITRE ATT&CK)
Decision
Use centralised logging using Microsoft Sentinel and Amazon CloudWatch.
Configuration:
- Configure default collection for audit and authentication logs to simplify security investigations.
- Container workloads should configure Container insights with enhanced observability and EKS control plane logging for audit and authentication logs by default.
- Configure logging to avoid capturing and exposing Personally Identifiable Information (PII).
Operations:
- Review and update logging configurations regularly to ensure coverage and privacy requirements are met.
- Extract and archive log information used during investigations to an appropriate location (in alignment with record keeping requirements).
Consequences
Benefits:
- Faster incident detection and response
- Simplified compliance with data protection regulations
- Centralised security log management reduces operational overhead
Risks if not implemented:
- Delayed security incident detection from decentralised logs
- Sensitive information exposure leading to data breaches
- Incomplete audit trails hindering forensic investigations