CWE-778: Insufficient Logging

BaseDraftExploit Likelihood: Medium

When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.

View on MITRE
Back to CWE Lookup

Extended Description

When security-critical events are not logged properly, such as a failed login attempt, this can make malicious behavior more difficult to detect and may hinder forensic analysis after an attack succeeds. As organizations adopt cloud storage resources, these technologies often require configuration changes to enable detailed logging information, since detailed logging can incur additional costs. This could lead to telemetry gaps in critical audit logs. For example, in Azure, the default value for logging is disabled.

Technical Details

Structure
Simple

Applicable To

Languages
Not Language-Specific
Platforms

Frequently Asked Questions

What is CWE-778: Insufficient Logging?+

CWE-778: Insufficient Logging is a Common Weakness Enumeration (CWE) entry maintained by MITRE. When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it. When security-critical events are not logged properly, such as a failed login attempt, this can make malicious behavior more difficult to detect and may hinder forensic analysis after an attack succeeds. As organizations adopt cloud storage resources, these technologies often require configuration changes to enable detailed logging information, since detailed logging can incur additional costs. This could lead to telemetry gaps in critical audit logs. For example, in Azure, the default value for logging is disabled.

What are the security consequences of Insufficient Logging?+

If exploited, CWE-778 (Insufficient Logging) it can compromise Non-Repudiation, leading to outcomes such as Hide Activities.

How do you prevent or mitigate Insufficient Logging?+

Recommended mitigations for CWE-778 include: Use a centralized logging mechanism that supports multiple levels of detail. Ensure that all security-related successes and failures can be logged. When storing data in the cloud (e.g., AWS S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to enable and capture detailed logging information. Be sure to set the level of logging appropriately in a production environment. Sufficient data should be logged to enable system administrators to detect attacks, diagnose errors, and recover from attacks. At the same time, logging too much data (CWE-779) can cause the same problems, including unexpected costs when using a cloud environment.

Which programming languages are affected by Insufficient Logging?+

CWE-778 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Insufficient Logging?+

MITRE documents real CVEs mapped to CWE-778, including CVE-2008-4315, CVE-2008-1203, CVE-2007-3730, CVE-2007-1225 and CVE-2003-1566. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-778 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More