Question: Are endpoint logs and telemetry collected centrally for detection, investigation, and compliance purposes?
Why This Matters
Centralized logging enables early detection of anomalies and provides forensic evidence during incidents. It also satisfies regulatory audit requirements.
Maturity
0 — Unaware
No endpoint logging beyond OS defaults.
No endpoint logging beyond OS defaults.
1 — Ad Hoc
Logs viewed locally only when incidents occur.
Logs viewed locally only when incidents occur.
2 — Defined
Central log server established; limited scope.
Central log server established; limited scope.
3 — Managed
All critical endpoints forward logs; retention policy defined.
All critical endpoints forward logs; retention policy defined.
4 — Integrated
Logs enriched and correlated within SIEM / EDR / SOC tools.
Logs enriched and correlated within SIEM / EDR / SOC tools.
5 — Optimized
Behavioral analytics and anomaly detection continuously tuned.
Behavioral analytics and anomaly detection continuously tuned.
How to Level Up
| From → To | Actions |
|---|---|
| 0 → 1 | Enable OS event logging (Windows Event Log / syslog). |
| 1 → 2 | Deploy lightweight log forwarder to central host. |
| 2 → 3 | Define retention policy (≥ 90 days); include critical workloads. |
| 3 → 4 | Integrate with SIEM or EDR for correlation. |
| 4 → 5 | Implement analytics / ML rules for proactive detection. |
Enablers
- People: SOC analyst, IT admin, compliance auditor.
- Process: Log review schedule, alert triage workflow.
- Technology: Fluent Bit / Syslog / Wazuh / Loki / SIEM.
Evidence
- Log retention policy.
- SIEM dashboards / queries.
- Sampling of endpoint log events stored centrally.
KPIs
- Percentage of endpoints forwarding logs.
- Average log delay to SIEM.
- Detection to response time.
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| Log collection | Fluent Bit / Filebeat | Lightweight agent for Windows/Linux. |
| Storage | Loki / Elastic / Graylog | Central aggregation and search. |
| Analytics | Wazuh SIEM | Free correlation and alerts. |
Common Pitfalls
- Over-collection without retention planning.
- No time sync (NTP) leading to inaccurate timelines.
- Ignoring privacy considerations in log content.
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO/IEC 27001:2022 | A.8.16 (Logging and Monitoring) |
| CERT-In 2022 | Section 11 (Security Monitoring and Audit Logs) |
| DPDP Act 2023 | Sec 9 (Processing Safeguards) |
| NIST CSF 2.0 | DE.CM-01 to DE.CM-07 |
| NIRMATA Mapping | EP-Q08 feeds into SOC metrics and audit trail requirements. |