Skip to main content

ADR-002 - Centralized Logging and Security Monitoring (SOC)

Context

At the current stage, most systems (VPS, services, applications) generate logs locally.

This creates several limitations:

  • no centralized visibility across the environment
  • limited ability to correlate events
  • delayed detection of suspicious activity
  • weak audit trail in case of incident

Given the hybrid nature of the lab (Heaven + Hell), this lack of centralization is identified as a major detection and response gap.

Decision

Implement a centralized logging architecture:

  • all systems forward logs to a central SOC platform hosted in Hell
  • log collection is performed using agents or secure protocols (Syslog/TLS, Wazuh agent)
  • the SOC platform becomes the primary location for:
    • log aggregation
    • correlation
    • detection logic

Rationale

  • Detection capability improvement
    Centralization enables correlation across multiple systems.

  • Separation of duties
    The logging system does not depend on compromised hosts.

  • Auditability
    Provides a consistent and reviewable evidence source.

  • Alignment with risk scenarios
    Directly addresses risks related to undetected compromise.

Alternatives Considered

1. Keep local logs only

Rejected
Insufficient for detection and incident response.

2. Partial centralization (only critical systems)

Rejected
Creates blind spots and inconsistent visibility.

3. Full centralization to SOC (selected)

Accepted
Provides consistent and scalable monitoring foundation.

Security Impact

Positive

  • improved detection capability
  • better incident investigation support
  • centralized evidence collection
  • stronger monitoring coverage

Negative / Trade-offs

  • increased infrastructure complexity
  • dependency on SOC availability
  • need for secure log transport

Implementation Notes

  • deploy SOC platform in Hell (Wazuh or equivalent)
  • configure log forwarding from:
    • VPS (Heaven)
    • internal systems (Hell)
  • enforce encrypted transport (TLS)
  • restrict inbound-only communication to SOC
  • define initial detection rules and coverage scope

Evidence & Traceability

Linked to:

  • risk scenarios involving delayed or missed detection
  • monitoring and validation documentation
  • future audit and incident response workflows

Current Maturity

At the current stage, centralized logging is considered in progress.

Established

  • identification of logging gaps
  • definition of centralized logging target architecture

In Progress

  • deployment of SOC platform
  • onboarding of systems for log forwarding
  • initial detection logic definition

Planned / Next Phase

  • correlation rules improvement
  • detection coverage review
  • integration with incident response workflows