Hardening is incomplete if you cannot tell when a service is being attacked or abused. This page focuses on missing logs, disabled auditing, and other visibility gaps that make compromise harder to detect.
Linux Logging
Common issues:
rsyslogdisabledauditddisabled- Security-relevant events not being retained
Checks:
systemctl status rsyslog
systemctl status auditd
Fix:
sudo systemctl enable auditd
sudo systemctl start auditd
Windows Logging
Common issues:
- Security auditing not enabled
- Login and privilege events not being captured
Open Event Viewer:
eventvwr
Fix:
- Open Local Security Policy.
- Navigate to Advanced Audit Policy Configuration.
- Enable login and privilege escalation auditing.
Quick Review Checklist
When reviewing monitoring and detection, check for:
- system logs disabled or failing
- audit logging disabled
- authentication and privilege events not captured
- no clear place to review recent service activity