| 🏠 Back to Exam Syllabus | 📺 RooCloud on YouTube | 🌐 RooCloud Practice Exams |
CISSP 17.3 - Logging & Monitoring (Part 1 of 2)
This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series opens the topic of logging and monitoring from Domain 7, shifting from stopping attacks to recording and reviewing what actually happens. It lays the foundation for how organizations hold people accountable, reconstruct events, and produce evidence that holds up when something goes wrong.
What this episode covers
- Logging and accountability — recording what, when, where, and who, which only holds up when identity is secure.
- Common types of logs — security, system, application, firewall, proxy, and change logs, each a different slice of activity.
- Protecting log data — centralizing copies, tight permissions, read-only archives, and physical security against tampering.
- Retention and destruction — keeping logs for a defined period, then destroying them so extra years cannot backfire.
- Audit trails — reconstructing events forward or reverse and tying actions to the verified user who performed them.
- Deterrence and evidence — audit trails as passive detection controls and material for prosecution attackers try to delete.
- Investigations and troubleshooting — synced timestamps, and separating a genuine attack from a faulty component.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
What is logging, and why does accountability depend on it?
Logging records events into a file or database, capturing what happened, when, where, and who did it, and it is where you start when reconstructing a recent event. But logging alone is not enough for accountability, because it only works if your identification and authentication are secure. If it is easy to impersonate another user, a log entry might accuse the wrong person entirely, so trustworthy identity is the prerequisite that makes the record fair.
What are the common types of logs?
Different logs capture different slices of activity. Security logs record access to resources like files and folders, system logs record startups, shutdowns, and services stopping, and application logs capture whatever the developer chose to record. Firewall logs note traffic allowed and blocked with source and destination but not packet contents, proxy logs track which sites users visit, and change logs record change requests, approvals, and the changes themselves.
How do you protect log data from tampering?
Logs only have value if they are trustworthy, because an attacker who can edit them can erase their own tracks. A common move is to copy logs to a central system, so even corrupted originals still have a clean copy elsewhere. Restrict access with tight permissions, set archived logs to read-only, add physical protection, and follow a retention policy that keeps logs for a defined period, then destroys them, since keeping them too long can backfire during a legal matter.
What are audit trails, and how do they enable accountability?
An audit trail is the record built when event details land in your logs and databases, capturing system activity so you can reconstruct a security event in forward or reverse order. It gives you accountability by tying logged actions back to the user who performed them after that user proved their identity, which itself deters bad behavior. Audit trails also serve as passive detection controls and essential evidence for prosecution, which is why advanced attackers try to find and delete them.
How do monitoring and audit trails support investigations and troubleshooting?
They let you rebuild events long after they occur, exposing access abuses, privilege violations, and attempted intrusions, but only if timestamps are accurate and consistent, which is why organizations sync clocks to a trusted time source. Beyond security, audit trails also aid plain troubleshooting by recording system failures, software errors, and crash details, helping you tell a genuine attack from a faulty component. A repeatedly crashing system, for instance, might turn out to be failing memory rather than an intruder.
📚 Master the ISC2 CISSP Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in CISSP 17.3 - Logging & Monitoring (Part 1 of 2).