An attacker can compromise a web server during the startup process. If logging is not initiated until all the web server processes are started, key information may be missed and not available during a forensic investigation. To assure all logable events are captured, the web server must begin logging once the first web server process is initiated.
Review the web server documentation and deployed configuration to determine if the web server captures log data as soon as the web server is started. If the web server does not capture logable events upon startup, this is a finding.
Configure the web server to capture logable events upon startup.