Use Logging on Government Systems

Protect Your Organization with Logging & Monitoring

State, local, tribal and territorial (SLTT) governments manage critical infrastructure, citizen data and public services. They also face unique challenges: limited cybersecurity staffing, legacy systems and increasing attacks targeting public-sector entities. Therefore, keeping sensitive data secure is a core responsibility. But without logging and monitoring in place, attackers may lurk in your systems unnoticed for weeks or months.

This is especially concerning for organizations connected to critical infrastructure. A single breach in one of these systems could disrupt services that communities rely on, or worse, go unnoticed until major damage is done. In fact, during a CISA red team exercise simulating a cyberattack on a critical infrastructure organization, the attackers were only discovered after log data revealed suspicious activity. Without logging, the compromise may never have been caught.

What is logging and monitoring?

Logging refers to automatically recording events on your systems—such as user logins, file access, system errors or attempted intrusions. Monitoring means reviewing and analyzing those logs—either manually or using automated tools—to spot suspicious activity, system misuse or early signs of attack. Think of logs as your digital surveillance footage and monitoring as the guard reviewing the tapes.

Why does this matter?

According to Verizon’s 2025 Data Breach Investigations Report, system intrusion was a component of 53% of all data breaches. Logging and monitoring are critical to help you spot such intrusions and stop them in time.

Enabling system logs and continuously monitoring them helps your IT team:

Detect intrusions early before damage spreads

Track account misuse or unauthorized access

Respond faster to incidents

Support investigations and audits

Meet compliance or regulatory requirements

To help organizations get started, CISA offers no-cost tools, like Logging Made Easy and Malcolm, that make it simple to collect and review key system logs. It’s an easy step toward stronger cybersecurity.

Logging and Monitoring in Three Steps

Even small teams can set up logging to baseline normal system behavior and better detect unusual behavior that may indicate cyber threats. Work with your IT team to establish logging and monitoring for your organization—CISA’s no-cost Logging Made Easy tool can help.

Set up logging.
- Determine what to log, such as user activity, admin actions, network traffic, application logins, system events and more.
- Enable logging on servers, firewalls, endpoint devices and cloud services. Effective logs should contain enough detail to aid incident responders.
- Centralize your logs with a log management solution. Centralization makes it easier to detect unusual activity.
Monitor logs regularly.
- Set up alerts for high-risk events (e.g., failed login attempts, privilege escalation).
- Review logs manually or with automated tools where possible.
- Train staff to recognize what suspicious activity looks like and have them review logs regularly for such activity.
Establish policies and procedures for logging and monitoring.
- Follow best practiceswhen setting up logging and monitoring.
- Protect logs from unauthorized access or deletion by restricting and monitoring access and storing them securely.
- Retain logs in accordance with your policies and compliance needs.
- Designate a crisis-response team with main points of contact for a suspected cybersecurity incident and roles/responsibilities within the organization, including technology, communications, legal and business continuity.

National Institute of Standards & Technology (NIST) has a playbook intended to help any organization plan improvements to its cybersecurity log management. See NIST SP 800-92 Rev. 1 Cybersecurity Log Management Planning Guide (2023).