One common theme in incident response is that there is almost always some important log data that is not available for analysis. Sometimes this is log data that has aged off of a system before it could be gathered for analysis. Sometimes this is log data that was never generated because some type of logging was never enabled on a given system. Other times, even though logging is enabled, the system is configured in such a way that the data in the logs does not contain the relevant data points needed for the investigation. Logging is a very fundamental function of information systems and is often viewed as a mundane and boring topic; however, when you need specific data to answer burning questions, there is nothing less mundane or boring. This session will look at real-world examples of critical missing log data, explore how and why this happens, and provide practical advice for avoiding these mistakes.