Logging

Logging is the automated recording of events in IT systems, creating a traceable audit trail of who did what, and when. Logs are essential for detecting security incidents in a timely manner and for investigating and documenting breaches after the fact.

Back to Dictionary

What is security logging?

Security logging is the recording of security-relevant events in systems, applications and network infrastructure. Logs typically contain information about who (user ID), what (action), when (timestamp), where from (IP address/device) and whether the action succeeded.

Logs serve two primary purposes: detection (identifying attacks and suspicious activity in near real-time) and forensics (investigating and documenting what happened during and after a security incident).

What should be logged?

Best practice is to log, at a minimum:

Authentication events: Login, logout, failed attempts and MFA usage.
Access to sensitive data: All access to and changes of sensitive data and systems.
Administrative actions: Privileged access and administrative operations.
System events: Startup, shutdown and error conditions.
Configuration changes: Alterations to system or application settings.
Network events: Firewall blocks, DNS lookups and other network-level activity.

Regulatory requirements for logging

GDPR does not explicitly require logging, but the accountability principle and the requirements for appropriate security measures and the ability to detect and document breaches mean that logging is a practical necessity. ISO 27001 Annex A control 8.15 requires logging, and control 8.16 requires monitoring activities. NIS2 requires technical monitoring of systems as part of its risk management requirements.

Logs are personal data: Remember that logs containing IP addresses or user IDs are typically personal data. GDPR's storage limitation principle applies — retain logs for as long as they are necessary for security purposes, but no longer.

Log retention and protection

Logs must be stored securely and protected against tampering. Best practice includes centralised log collection, write-protected log stores, encryption of logs and access controls on log data. Retention periods should reflect the need for forensic analysis — typically 6 to 12 months active and 1 to 2 years in archive.

Frequently Asked Questions about Logging

What is security logging?

Security logging is the automated recording of security-relevant events in IT systems — such as logins, access to data and configuration changes — creating an audit trail for detection and forensic investigation.

What should be logged according to best practice?

At a minimum, organisations should log authentication events, access to sensitive data, administrative actions, system events, configuration changes and network events such as firewall blocks and DNS lookups.

Does GDPR require logging?

GDPR does not explicitly require logging, but the accountability principle and the obligation to implement appropriate security measures and detect breaches mean that logging is a practical necessity for compliance.

What does ISO 27001 say about logging?

ISO 27001 Annex A control 8.15 requires event logging, and control 8.16 requires monitoring activities. Together, these controls establish a requirement for comprehensive security logging and review.

How long should logs be retained?

Retention periods should reflect the need for forensic analysis — typically 6 to 12 months of active retention and 1 to 2 years in archive. Under GDPR, logs should not be retained longer than necessary for their security purpose.