Logs are a key part of understanding how an incident occurred and when it started. With that information, you can resolve incidents quicker, and get back to business as usual. Without logs enabled it can be harder to detect when an incident happens, or establish the full scope of the incident.
Enabling logs on everything will generate a lot of data and can become overwhelming. Trying to process this all by hand makes it hard to tell when there’s a problem. Configure alerts to notify you when key actions happen. This helps manage the noise, and the detailed logs are still available when you need to look into them.
The intent of this control is to ensure that systems are logging necessary information. These logs are:
- stored in a central location
- protected from unauthorised access and modification
- kept for as long as they’re needed.
Successful implementation of this control will look different for different organisations. Your organisation should:
- enable logging for events that are business critical or involve sensitive data
- sync all systems to the same time source, with a consistent time zone to make analysis and correlation easier
- send logs to a central system for storage and analysis
- limit access to those who need it. Those users have read only access – there shouldn’t be a way to modify or delete data.
- record any modifications to the configuration of the logging system
- set up automated alerts and reporting for known suspicious or unusual log events.
Centralised logging: key takeaways
- Consider which logs would be the most helpful to piece together or detect an incident. Logs can require a lot of resources, so make sure you are prioritising the logs that are important.
- Consider checking with your legal team or industry standards, when deciding which events you want to log. There might be specific logs you have to collect to comply with laws and regulations for your industry.
- Consider what sensitive data might end up in your logs (like usernames and passwords). Think about how you’ll mask that information, or how you might protect the logs from unauthorised access.
- Make sure you protect your log files from modification or deletion. You need confidence that your logs are accurate and haven't been tampered with for them to be useful.
- Many businesses don’t discover an incident until at least two months after it happened. Keep that in mind when deciding how long you’ll keep your logs for. Having them available will allow you to carry out an effective investigation.