blue background

Use Logging on Business Systems

Monitor what matters to protect your business.   

Protect Your Business with Logging and Monitoring   


Small and medium businesses are responsible for protecting sensitive customer information from threat actors trying to access their systems. This especially concerning for organizations connected to critical infrastructure. A single data breach in one of these systems could disrupt services that communities rely on, or worse, go unnoticed until major damage is done.  

In fact, during a recent red team exercise, CISA simulated a cyberattack on a critical infrastructure organization. The attackers were able to move laterally across systems and access sensitive information, but the intrusion was detected after analyzing network and log data, which flagged unusual activity.  

Although cyber threats are rising, you can effectively and affordably strengthen defenses by logging and monitoring your systems.  
 

What is logging and monitoring? 

Every time someone logs in, accesses a file, or makes a change to your system, it leaves a digital record. Logging is the process of recording this activity on your business systems, including who accessed what, when, and from where. Monitoring adds a layer of oversight by reviewing those logs in real time to identify anomalies or unauthorized behavior. Together, they create a clear picture of normal, baseline behavior. That means you can quickly detect anything suspicious, like unauthorized access or attempted breaches. 
 

Why does this matter? 

Early detection of unusual activity is key to preventing data breaches, ransomware, and other costly incidents. Logs help your IT team to quickly detect suspicious activity, like unauthorized access or attempted breaches. Logging and monitoring empower your team to spot and respond to threats faster. 

To help organizations get started, CISA offers no-cost tools, like Logging Made Easy and Malcolm, that make it simple to collect and review key system logs. It’s an easy first step toward stronger cybersecurity. 
 

Logging and Monitoring in Three Steps  


Even small teams can set up logging to baseline normal system behavior and better detect unusual behavior that may indicate cyber threats. Work with your IT team to establish logging and monitoring for your organization—CISA’s no-cost Logging Made Easy tool can help. 

  1. Set up logging.  

    • Determine what to log, such as user activity, admin actions, network traffic, application logins, system events and more.
    • Enable logging on servers, firewalls, endpoint devices and cloud services. Effective logs should contain enough detail to aid incident responders.
    • Centralize your logs with a log management solution. Centralization makes it easier to detect unusual activity.
       

  1. Monitor logs regularly. 

    • Set up alerts for high-risk events (e.g., failed login attempts, privilege escalation).
    • Review logs manually or with automated tools where possible.
    • Train staff to recognize what suspicious activity looks like and have them review logs regularly for such activity.  
       

  1. Establish policies and procedures for logging and monitoring. 

    • Follow best practiceswhen setting up logging and monitoring.
    • Protect logs from unauthorized access or deletion by restricting and monitoring access and storing them securely.
    • Retain logs in accordance with your policies and compliance needs.
    • Designate a crisis-response team with main points of contact for a suspected cybersecurity incident and roles/responsibilities within the organization, including technology, communications, legal and business continuity. 

    National Institute of Standards & Technology (NIST) has a playbook intended to help any organization plan improvements to its cybersecurity log management. See NIST SP 800-92 Rev. 1 Cybersecurity Log Management Planning Guide (2023). 
     

printer icon with level up fact sheet

Printable Tips

Get the additional best practices in one handy, printable summary: “Level Up Your Cybersecurity Defenses.” 

GET IT NOW

Share CISA's No-Cost Logging Tool with Your IT Team

hands typing on a keyboard

Logging Made Easy

Use this no-cost CISA tool to help you collect, store and review logs so you can detect threats faster. 

CISA logo with Logging Made Easy on the screen

Logging Made Easy YouTube Playlist

Watch these training videos to help you get started with the LME tool. 

woman on her laptop

Malcolm

Track and analyze network traffic with this no-cost open source tool for OT/ICS systems. Perfect for small to medium manufacturing or water/wastewater plants, healthcare facilities, etc.   

Cover of the Best practices for event logging and threat detection guide

Dive Deeper: Logging Best Practices

Download this joint guide which defines a baseline for logging best practices to mitigate malicious cyber threats. 

DOWNLOAD NOW

Back Up Business Data

Encrypt Business Data

Share Cyber Incident Information with CISA

Secure Your Business

Small and Medium-Sized Business Resources

Cybersecurity Awareness Month