Question: Are infrastructure logs consistently generated, retained, and protected from tampering?
-
Objective — Why This Matters
Logs are the forensic trail of accountability. Without consistent logging and retention, incident reconstruction and legal defensibility collapse. -
Maturity Levels (0 – 5)
No logging standards or retention policy.
Some systems log locally; no centralization.
Central syslog server collects key sources.
Structured logs; daily review; access controls applied.
Immutable storage and SIEM correlation.
Automated retention, WORM storage, and behavior analytics.
- How to Level Up
| From → To | Actions |
|---|---|
| 0 → 2 | Deploy central syslog collector. |
| 2 → 3 | Standardize log formats (JSON); set review cadence. |
| 3 → 4 | Enable WORM retention; integrate with SIEM. |
| 4 → 5 | Add analytics and tamper alerts. |
-
People / Process / Technology Enablers
People – SOC Analyst, Infra Admin.
Process – Log review SOP, retention policy.
Technology – Rsyslog, Loki, OpenSearch, MinIO WORM. -
Evidence Required
Log retention policy, sample central logs, access audit. -
Metrics / KPIs
• percentage of critical systems sending logs centrally
• number of unauthorized log access attempts
• average time to detect log anomalies -
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| Central logging | Rsyslog / Fluent Bit + Loki | Lightweight log aggregation. |
| Storage | MinIO WORM / SeaweedFS | Immutable archival. |
| Analytics | Grafana / OpenSearch Dashboards | Visualization and alerting. |
-
Common Pitfalls
Logs retained locally; deletion or overwrite without backup. -
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO 27001 | A.8.15 / A.8.28. |
| NIST CSF 2.0 | DE.CM-1 / PR.PT-1. |
| CERT-In 2022 | Log retention 90 days + review. |
| NIRMATA Scoring | IS-Q05 ≥ Level 4 requires immutable central storage. |