Introducing ADAudit Plus' Attack Surface Analyzer—Detect 25+ AD attacks and identify risky Azure configurations. Learn more×
 
Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

Top 5 security logging best practices

Organizations that have to comply with regulatory mandates must retain this security log data for several years. In large IT environments, log management becomes difficult, as each workstation logs thousands of events and accumulates terabytes of data. Here are five security log retention best practices:

 

Archive log data centrally

Security logs serve as evidence when you want to conduct forensic analysis. For this reason, archiving all the logs centrally and ensuring their integrity is vital for complying with regulatory mandates. Ensure that you encrypt these logs while archiving, and also implement time stamping, hashing, and other techniques to secure the data.

 

Set the maximum security log size

Depending on your organization's audit requirement, set the maximum security log size to scale as more data is added to the network. This will prevent information loss due to insufficient storage, ensuring your compliance-readiness.

 

Implement a log retention policy

Security logs should be retained for longer periods when compared to other log types such as application log data, as they serve as evidence against data breaches and attacks. However, you can't store them forever. Setting up log retention policies is essential to retain the necessary log data, and delete the older data. The maximum security log size and retention policy configuration can be done on a local machine through Microsoft Event Viewer, or on all target computers through Group Policy.

 

Reduce event noise

Logging too many events makes it difficult to find the important ones during retention. This increases the probability of critical information being overlooked, so carefully configure your audit policy to log critical events such as logon failures, account lockouts, and file access to comply with regulations and ensure network security.

 

Synchronize the system clocks

For security log entries to have accurate time stamps during retention, the clocks on all systems should be synchronized. Even a small discrepancy in time can make it much harder to reconstruct the chain of events leading to a security lapse. Monitoring your system clocks weekly to check and correct any significant variations can bring down the chances of security incidents going undetected.

Be compliance-ready with
ADAudit Plus

Retaining and analyzing security logs for compliance requirements can be a cumbersome task for your organization. ADAudit Plus, a user behavior analytics (UBA) driven AD auditing solution from ManageEngine, not only helps archive security logs for as long as you want, but also provides prepackaged compliance reports for SOX, HIPAA, PCI, FISMA, GLBA, GDPR, and ISO.

Download a 30-day free trial.

ADAudit Plus Trusted By