In the world of distributed systems security, there is one axiom that stands above all others: you cannot protect what you cannot see. Security event logging is the discipline that provides this visibility—the systematic collection, storage, and organization of security-relevant events that enables detection, investigation, and response to threats.

When a security breach occurs, the first question asked is invariably: "What happened?" The quality of your security logging determines whether you can answer this question in minutes, hours, or never. Organizations with mature security logging practices can reconstruct attack timelines, identify compromised assets, determine data exposure, and establish the blast radius of incidents. Those without comprehensive logging are left fumbling in the dark, making educated guesses while attackers maintain persistence.

Beyond incident response, security event logging forms the foundation for proactive threat detection, compliance attestation, forensic investigation, and security analytics. It is the raw material from which security insights are derived. Without robust logging, advanced security capabilities like SIEM systems, user behavior analytics, and threat hunting become impossible.

Security event logging is fundamentally different from operational logging, although they share infrastructure. While operational logs focus on system health, performance, and debugging, security logs are specifically designed to capture events that have security relevance—actions that could indicate attacks, policy violations, or compliance-relevant activities.

The Core Purpose of Security Logging

Security event logging serves multiple critical functions:

1. Detection: Identifying ongoing attacks or policy violations in near real-time
2. Investigation: Reconstructing what happened during and after security incidents
3. Forensics: Providing evidence for legal proceedings or disciplinary action
4. Compliance: Demonstrating adherence to regulatory requirements
5. Threat Hunting: Enabling proactive searches for hidden threats
6. Risk Assessment: Understanding normal baselines to identify anomalies

Security vs. Operational Logging

Consider the difference in perspective between these two disciplines:

An operational log for a failed login might read:

[ERROR] Authentication failed for user jdoe - invalid password

A security log for the same event captures far more context:

{
  "timestamp": "2024-01-15T14:32:17.892Z",
  "event_type": "authentication.failure",
  "event_category": "authentication",
  "outcome": "failure",
  "reason": "invalid_password",
  "user": {
    "name": "jdoe",
    "domain": "corporate",
    "id": "usr_abc123"
  },
  "source": {
    "ip": "192.168.1.105",
    "geo": {"country": "US", "city": "Seattle"},
    "user_agent": "Mozilla/5.0..."
  },
  "target": {
    "application": "employee-portal",
    "resource": "/api/auth/login"
  },
  "authentication": {
    "method": "password",
    "mfa_required": true,
    "mfa_completed": false
  },
  "session": {
    "previous_failures": 2,
    "time_since_last_failure": "PT30S"
  }
}

The security log enables answering questions like:

• Is this a brute force attack? (check previous_failures, time patterns)
• Is this an unusual location for this user? (geo data)
• Is this happening at an unusual time? (timestamp analysis)
• Are multiple accounts targeted from this IP? (correlation by source.ip)

Determining what events to log is one of the most critical decisions in security architecture. Log too little, and you miss attacks. Log too much, and you drown in noise while incurring massive storage costs. The key is to identify events with security significance—those that indicate or could indicate security-relevant activity.

A comprehensive security event taxonomy covers several major categories:

Authentication Events - The First Line of Detection

Authentication events are often the most valuable security logs because they represent the boundary between anonymous and identified users. Every access to your system begins with authentication, making these events critical for detecting:

• Credential stuffing attacks: High volume of failures across many accounts from few sources
• Brute force attacks: Many failures for single accounts
• Password spraying: Few failures per account but across many accounts
• Account takeover: Successful login from unusual locations or devices
• Credential theft aftermath: Valid credentials used from attacker infrastructure

Authentication logs should capture:

Authorization and Access Control Events

While authentication determines who someone is, authorization determines what they can do. Authorization events are crucial for detecting:

• Lateral movement: Users accessing resources outside their normal scope
• Privilege escalation: Attempts to gain higher privileges
• Data exfiltration: Unusual patterns of data access
• Insider threats: Authorized users abusing their access

Authorization logs should capture:

• Resource being accessed (with hierarchy: system > service > resource > action)
• Permission required vs. permission possessed
• Decision outcome (allow/deny/challenge)
• Policy that made the decision
• Context that influenced the decision (time, location, device state)

Administrative Actions - Configuration Integrity

Administrative actions represent some of the highest-risk events because they can affect system security posture. An attacker with administrative access can:

• Create persistence mechanisms (backdoor accounts)
• Disable security controls (turn off logging, disable MFA)
• Exfiltrate data (increase permissions, modify policies)
• Cover tracks (delete logs, modify audit settings)

Administrative action logging must be tamper-resistant. If an admin can both perform actions and delete the logs of those actions, the logging provides false assurance. Best practices include:

• Immediate forwarding to write-once storage
• Cryptographic integrity verification
• Separation of duties (admins cannot access log storage)
• Anomaly detection on administrative action patterns

The format of your security logs profoundly affects their utility. Well-designed log formats enable automated parsing, efficient storage, powerful querying, and meaningful correlation. Poorly designed formats create parsing nightmares, lose critical context, and make analysis labor-intensive.

Structured vs. Unstructured Logs

The security industry has largely moved from unstructured text logs to structured formats, and for good reason:

Adopting Industry Standards

Rather than inventing your own log format, adopt established standards that provide:

1. Common Schema: Pre-defined field names and structures that tools understand
2. Normalization: Mapping different sources to common fields for correlation
3. Extensibility: Ability to add custom fields without breaking compatibility
4. Ecosystem Support: Parsers, analyzers, and visualization tools already built

Major Security Log Standards:

Elastic Common Schema (ECS) — A framework for structuring data with common fields for categories like host, user, source, destination, and event. Widely adopted in the Elastic ecosystem but usable anywhere.

Open Cybersecurity Schema Framework (OCSF) — An open-source project backed by AWS, Splunk, IBM, and others that defines a vendor-agnostic schema for security events. Designed specifically for security use cases.

CEF (Common Event Format) — An older format developed by ArcSight, still widely used in legacy SIEM deployments. Structured but uses a custom syntax rather than JSON.

Syslog (RFC 5424) — The traditional Unix logging standard, still relevant for network devices and operating systems. Modern implementations support structured data extensions.

Essential Fields for Security Events

Regardless of which standard you adopt, ensure your security events include these critical fields:

Temporal Fields:

• @timestamp: When the event occurred (source system time, UTC preferred)
• event.ingested: When the log was received by central system
• event.created: When the event record was created (if different from occurrence)

Actor Fields:

• user.id: Immutable user identifier
• user.name: Human-readable username
• user.email: Email if available
• user.roles: Active roles at time of event
• user.effective_id: If acting as another user (sudo, impersonation)

Source Fields:

• source.ip: Client IP address
• source.geo: Geolocation data derived from IP
• source.user_agent: Client identifier string
• source.device: Device fingerprint or identifier if available

Event Classification:

• event.category: Broad category (authentication, authorization, etc.)
• event.type: Specific type within category
• event.action: The action performed
• event.outcome: Success, failure, unknown
• event.severity: Numeric severity for prioritization

Correlation Fields:

• trace.id: Distributed tracing ID for request correlation
• session.id: User session identifier
• transaction.id: Business transaction identifier

In distributed systems, security events are generated across dozens or hundreds of services, each producing logs locally. A centralized logging architecture aggregates these events into a unified platform where they can be searched, analyzed, correlated, and retained according to policy.

Centralized logging is not optional for security—it's mandatory. Without centralization:

• You cannot correlate events across services to detect multi-stage attacks
• Log retention becomes inconsistent and ungovernable
• Incident investigation requires accessing each system individually
• Attackers who compromise a system can delete local logs

Collection Layer: Getting Logs Off the Source

The collection layer is responsible for reliably moving logs from source systems to the central platform. Key considerations:

Log Agents (Filebeat, Fluent Bit, Vector): Software running on each host that reads logs from files or stdout and ships them to the transport layer. Agents should:

• Handle back-pressure gracefully (queue when downstream is slow)
• Guarantee at-least-once delivery
• Minimize resource consumption on the host
• Support structured and unstructured log formats

Syslog Receivers: Many network devices, load balancers, and security appliances only support syslog. Deploy dedicated syslog collectors (rsyslog, syslog-ng) that forward to your transport layer.

API Collectors: Cloud services and SaaS applications expose logs via APIs. Deploy collectors that poll these APIs and normalize events to your schema.

Security Considerations for Collection:

• Encrypt log transport (TLS minimum)
• Authenticate agents to collectors (mTLS preferred)
• Sign log entries at source for integrity verification
• Minimize agent privileges on source systems

Transport Layer: Reliable, Scalable Delivery

The transport layer moves logs from collectors to processing. Modern architectures use message queues (Kafka, Kinesis, Pulsar) rather than direct connections. Benefits:

1. Decoupling: Sources and processors can operate independently
2. Buffering: Handle spikes in log volume without data loss
3. Scalability: Add consumers without changing producers
4. Replayability: Re-process historical logs when rules change
5. Durability: Logs persist until confirmed processed

Kafka Cluster Design for Security Logs:

Topic: security-events-raw
  Partitions: 24 (scale with ingestion rate)
  Replication Factor: 3 (durability)
  Retention: 7 days (pre-processing buffer)
  Compaction: disabled (need all events)
  
Topic: security-events-normalized
  Partitions: 24
  Replication Factor: 3
  Retention: 7 days
  
Topic: security-alerts
  Partitions: 6
  Replication Factor: 3
  Retention: 30 days

Processing Layer: Parse, Normalize, Enrich

Raw logs from diverse sources need processing before they're useful for security analysis:

Parsing: Extract structured fields from various formats (JSON, syslog, custom formats). Use schema registries to manage parsers.

Normalization: Map source-specific field names to your common schema. Example:

• AWS CloudTrail: userIdentity.arn → user.id
• Okta: actor.alternateId → user.email
• Linux auth.log: USER=jdoe → user.name

Enrichment: Add context not present in the original event:

• Geo-IP enrichment: Convert IP addresses to geographic data
• ASN enrichment: Add autonomous system number and organization
• Threat intelligence: Check IPs/domains against threat feeds
• Asset context: Add asset owner, criticality, network zone
• User context: Add department, manager, risk score from IAM

Filtering/Routing: Send different events to different destinations:

• High-severity alerts → immediate alerting system
• Compliance-relevant events → compliance-specific indices
• High-volume, low-value events → compressed cold storage

Security log storage presents unique challenges: you need fast queries for real-time detection, long retention for compliance and forensics, and massive scale as distributed systems generate billions of events daily. The solution is tiered storage with hot, warm, and cold layers.

Hot Storage (0-7 days): Optimized for query speed. Events here are actively searched during investigations and feed real-time alerting. Technologies: Elasticsearch, Splunk, ClickHouse.

Warm Storage (7-90 days): Optimized for cost-efficient querying. Accessed for investigations beyond immediate incidents. May use slower, cheaper storage tiers. Technologies: Elasticsearch frozen tier, S3 + query engines.

Cold Storage (90+ days): Optimized for retention cost. Rarely accessed but required for compliance or deep investigations. Technologies: S3 Glacier, Google Coldline, Azure Archive.

Retention Requirements by Regulation

Compliance requirements often dictate minimum retention periods:

• PCI DSS: 1 year minimum, 3 months immediately accessible
• HIPAA: 6 years for audit logs
• SOC 2: 1 year typical, varies by trust service criteria
• GDPR: No minimum, but must be able to demonstrate compliance
• Financial services (SEC 17a-4): 6 years, 2 years immediately accessible

Design your retention policy to meet the most stringent applicable requirement, but implement tiered storage to manage costs.

Log Integrity and Tamper Evidence

Security logs are only valuable if they're trustworthy. An attacker who gains system access often attempts to modify or delete logs to cover their tracks. Implement integrity controls:

Write-Once Storage: Use immutable storage (S3 Object Lock, WORM-compliant storage) for log archives. Once written, logs cannot be modified or deleted until retention expires.

Cryptographic Signing: Sign log entries or batches at the source. Any modification invalidates signatures.

Hash Chains: Create cryptographic chains linking log entries. Deletion or modification breaks the chain.

Third-Party Attestation: Forward copies to an independent system that can attest to what was received.

┌─────────────────┐    ┌─────────────────┐    ┌─────────────────┐
│   Log Entry 1   │───▶│   Log Entry 2   │───▶│   Log Entry 3   │
│ hash: abc123    │    │ prev: abc123    │    │ prev: def456    │
│                 │    │ hash: def456    │    │ hash: ghi789    │
└─────────────────┘    └─────────────────┘    └─────────────────┘
        ▲                       ▲                       ▲
        │                       │                       │
    Can't modify           Can't delete           Chain proves
    without breaking       without breaking       completeness
    hash chain             hash chain

Implementing security event logging in production requires careful attention to reliability, performance, and security. Here are battle-tested practices from organizations operating at scale:

Even experienced organizations make predictable mistakes when implementing security logging. Learn from these common anti-patterns:

Security event logging is the foundation upon which all other security monitoring capabilities are built. Without comprehensive, reliable, well-structured logs, detection becomes guessing, investigation becomes archeology, and compliance becomes hope.

What's Next:

With security event logging in place, the next step is using those logs to detect threats. The following page covers Intrusion Detection—how to analyze security events to identify attacks in progress, from signature-based detection to behavioral analysis and network-based approaches.