Safeguards

Monitoring and logging

What are monitoring and logging in IT?

Monitoring and logging mean that IT systems are watched continuously and that important events are written down, such as logins, errors and changes to permissions. In an incident these logs show what happened, when, and through which access route someone entered.

Time passes between an attacker's first access and any visible damage. During that time traces are left behind: a run of failed logins on the remote maintenance tool, a successful login at three in the morning from another country, a newly created administrator account, antivirus software suddenly switched off on one machine, a backup job that has been failing for days. Without logs these traces stay invisible, and the attack is noticed only on the day the files are encrypted.

For a small or medium business a manageable selection is enough. Log the logins to your servers, to Microsoft 365 or a comparable cloud service, to the VPN, meaning the encrypted remote route into the company network, to remote maintenance and to the firewall. Add changes to permissions, the creation and deletion of accounts, the disabling of protective software and the results of backup runs. These logs are gathered in one central place, so that an attacker on the compromised machine cannot simply delete them, and they are retained for a defined period.

Logging writes things down. Monitoring means somebody looks. An alert that lands in a mailbox nobody opens achieves nothing. For businesses without their own IT there are two workable routes. Alerts go to the IT provider with an agreed response time. Or the watching is bought in as a service, for example through a SOC (security operations centre), meaning a team that evaluates incoming alerts around the clock and raises the alarm when it matters.

Logs contain personal data, because they record who signed in and when. Set out in writing beforehand the purpose of the logging, how long entries are retained and who may inspect them, and involve any staff representation. A clean arrangement also serves the documentation of technical and organisational measures required by the GDPR.

The first sensible step is a list of the systems reachable from outside or holding particularly valuable data. For each one, ask: is logging switched on? How long are the entries kept? Who looks at them, and how often? The IT-Check records which logs are kept, where alerts are sent and who actually reads them.

All terms in the knowledge base

From the term to practice

Where does your business actually stand?

The IT Check reviews your IT across 8 audit areas with more than 100 individual checks and delivers documented findings with a prioritised action plan. From 1,299 € excl. VAT. The first call takes 20 minutes and carries no charge.

Book a first call