CWE · MITRE source
CWE-778Insufficient Logging
When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.
When security-critical events are not logged properly, such as a failed login attempt, this can make malicious behavior more difficult to detect and may hinder forensic analysis after an attack succeeds. As organizations adopt cloud storage resources, these technologies often require configuration changes to enable detailed logging information, since detailed logging can incur additional costs. This could lead to telemetry gaps in critical audit logs. For example, in Azure, the default value for logging is disabled.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (24)AI
Showing the 13 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
AU-1 | Policy and Procedures | AU | Audit policy requires defining and implementing logging of security-relevant events, directly reducing insufficient logging. |
AU-10 | Non-repudiation | AU | Providing proof of performed actions necessitates sufficient logging of security-relevant events with attribution details. |
AU-11 | Audit Record Retention | AU | Retaining audit records for a defined period ensures security-relevant events remain available for after-the-fact investigations, directly mitigating the risk that attackers can hide actions due to missing or purged log data. |
IR-1 | Policy and Procedures | IR | Incident response policy mandates logging and monitoring requirements to detect and record security events. |
IR-3 | Incident Response Testing | IR | IR testing would reveal insufficient logging that impairs incident analysis and response effectiveness. |
IR-4 | Incident Handling | IR | Detection and analysis phases require sufficient logging to identify and investigate incidents, addressing insufficient logging. |
PM-14 | Testing, Training, and Monitoring | PM | Monitoring plans mandate sufficient logging and event collection to detect anomalous behavior and support incident response. |
PM-21 | Accounting of Disclosures | PM | Mandating retention and availability of disclosure accounting ensures security-relevant events involving PII release are logged rather than omitted. |
PM-31 | Continuous Monitoring Strategy | PM | Drives organization-wide metrics, frequencies, and correlation of monitoring data, directly mitigating insufficient logging and observability. |
PE-3 | Physical Access Control | PE | Requires maintenance of physical access audit logs, directly mitigating insufficient logging of access attempts and events. |
PE-8 | Visitor Access Records | PE | The requirement to maintain visitor access records implements logging of security-relevant physical access events, preventing insufficient logging of such events. |
CA-7 | Continuous Monitoring | CA | Continuous monitoring requires establishing metrics, ongoing data collection, correlation, and analysis, directly mitigating insufficient logging by ensuring security-relevant events are captured and reviewed. |
MA-4 | Nonlocal Maintenance | MA | Maintaining records of nonlocal maintenance activities ensures logging to support detection of issues. |
Show 11 more broadly-applicable controls
AU-12 | Audit Record Generation | AU | Directly requires generation of audit records for specified events, preventing the absence of logging that allows undetected malicious activity. |
AU-14 | Session Audit | AU | Directly implements detailed session logging to address the weakness of insufficient logging. |
AU-15 | Alternate Audit Logging Capability | AU | Provides alternate logging mechanism to maintain audit trails when primary capability fails, directly reducing insufficient logging. |
AU-16 | Cross-organizational Audit Logging | AU | Employing coordination mechanisms ensures consistent and sufficient logging practices are applied when audit information crosses organizational boundaries. |
AU-2 | Event Logging | AU | This control requires identifying, specifying, and justifying event types for logging with a focus on adequacy for post-incident investigations, directly mitigating insufficient logging. |
AU-3 | Content of Audit Records | AU | This control directly specifies the minimum content required in audit records to establish event details, attribution, and outcomes, thereby mitigating insufficient logging. |
AU-4 | Audit Log Storage Capacity | AU | Allocating dedicated audit log storage capacity ensures security-relevant events can be recorded and retained without premature loss or overwrite due to exhaustion, directly supporting sufficient logging. |
AU-7 | Audit Record Reduction and Report Generation | AU | The reduction and report generation capability directly enables usable on-demand review and incident investigation, mitigating insufficient logging by ensuring audit data can be effectively analyzed without loss of original records. |
AU-8 | Time Stamps | AU | Requiring internal clock-based timestamps directly improves audit record completeness, reducing the impact of insufficient logging for incident analysis. |
IR-5 | Incident Monitoring | IR | Implementing incident tracking and documentation requires logging of security-relevant events, directly mitigating insufficient logging that allows undetected exploitation. |
PM-6 | Measures of Performance | PM | Developing and monitoring security performance measures requires systematic collection and analysis of control effectiveness data, directly reducing insufficient logging. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2024-48967 | 2.0 | 10.0 | 0.0028 | 2024-11-14 |
CVE-2026-32693 | 1.8 | 8.8 | 0.0007 | 2026-03-18 |
CVE-2019-7613 | 1.5 | 7.5 | 0.0018 | 2019-03-25 |
CVE-2021-43419 | 1.5 | 7.5 | 0.0025 | 2023-11-07 |
CVE-2019-19277 | 1.3 | 6.5 | 0.0029 | 2020-03-10 |
CVE-2025-52644 | 1.2 | 5.8 | 0.0004 | 2026-03-16 |
CVE-2023-1995 | 1.1 | 5.3 | 0.0017 | 2023-08-29 |
CVE-2025-2562 | 1.1 | 5.4 | 0.0029 | 2025-03-26 |
CVE-2025-32967 | 1.1 | 5.4 | 0.0080 | 2025-05-23 |
CVE-2025-53498 | 1.1 | 5.3 | 0.0026 | 2025-07-07 |
CVE-2026-25598 | 1.1 | 5.3 | 0.0002 | 2026-02-09 |
CVE-2019-19295 | 0.9 | 4.3 | 0.0028 | 2020-03-10 |
CVE-2021-33689 | 0.9 | 4.3 | 0.0023 | 2021-07-14 |
CVE-2022-25783 | 0.9 | 4.3 | 0.0023 | 2022-05-04 |
CVE-2024-2291 | 0.9 | 4.3 | 0.0009 | 2024-03-20 |
CVE-2025-66552 | 0.9 | 4.3 | 0.0003 | 2025-12-05 |
CVE-2026-22279 | 0.9 | 4.3 | 0.0004 | 2026-01-22 |
CVE-2026-3494 | 0.9 | 4.3 | 0.0001 | 2026-03-03 |
CVE-2022-30305 | 0.8 | 3.7 | 0.0022 | 2022-12-06 |
CVE-2021-32680 | 0.7 | 3.3 | 0.0020 | 2021-07-12 |
CVE-2024-24901 | 0.6 | 3.0 | 0.0003 | 2024-03-04 |
CVE-2022-31120 | 0.4 | 2.1 | 0.0039 | 2022-08-04 |
CVE-2024-10863 | 0.0 | 0.0 | 0.0015 | 2024-11-22 |