2.2. Logging Solutions

If monitoring is your nervous system, logging is your memory. Without comprehensive logs, you can detect that something happened but can't reconstruct what happened, who did it, when they did it, or how they got access. During an incident investigation, the first question is always "what do the logs show?" — and the answer "we weren't logging that" turns a recoverable breach into a catastrophic unknown. Think of logging like a building's security camera system: cameras that aren't recording are just expensive decorations, and footage that isn't stored is useless during an investigation. The exam tests your ability to design logging architectures that capture the right data, store it cost-effectively, and make it queryable for both real-time analysis and long-term investigation.

This section covers the complete logging lifecycle: source identification, service configuration, centralized storage, analysis, normalization, and network-specific logging.

Scenario: During a breach investigation, the security team discovers that CloudTrail data events for S3 were not enabled, meaning they can't determine which objects the attacker accessed. How does this gap change the investigation outcome?

Reflection Question: Why does the exam treat logging architecture as a security control — not just an operational convenience?