Logging and monitoring
Logging and monitoring describe the systematic recording and continuous analysis of security-relevant events in IT systems, making attacks, misconfigurations and policy violations detectable and traceable.
Logging is the structured recording of events in IT systems, applications and networks, such as sign-in attempts, access to sensitive data, configuration changes or failed authentications. Monitoring is the continuous observation and analysis of this log data in order to detect anomalies, attack patterns and security incidents as early as possible. Together they form the technical foundation for traceability, evidence preservation and incident response, making them a central building block of any information security management system.
From a legal perspective, adequate logging is anchored in several frameworks: the NIS2 Directive and its national transposition require essential and important entities to put in place measures for handling and detecting security incidents, which is impossible without reliable log data. The BSI IT-Grundschutz (in particular module OPS.1.1.5 Logging) and ISO/IEC 27001 (Control 8.15 Logging, 8.16 Monitoring activities) specify which events must be captured, protected against tampering and analysed. At the same time, the limits of the GDPR must be respected, as logs regularly contain personal data and are subject to the principle of data minimisation and to retention and deletion periods.
In practice, logs are collected centrally, synchronised in time (NTP) and stored in a tamper-resistant way, often in a SIEM system that correlates events and triggers alerts. Key requirements are the completeness of the events captured, the protection of logs against alteration and unauthorised access, reliable time synchronisation for forensic usability, and defined retention and deletion periods. Only regular, partly automated analysis turns raw data into actionable insight; mere storage without monitoring does not fulfil the protective purpose.
Legal Basis
Art. 21(2) NIS2 Directive (EU) 2022/2555; BSI IT-Grundschutz OPS.1.1.5 (Logging); ISO/IEC 27001:2022 Controls 8.15 and 8.16; Art. 5 and 32 GDPR
Practical Example
A mechanical engineering company that qualifies as an important entity under NIS2 introduces central logging for Active Directory, firewalls and its ERP system and forwards the logs to a SIEM. When an administrative account repeatedly signs in at night from an unusual country, a correlated rule triggers an alert; the security team locks the account, analyses the logs forensically and can demonstrate beyond doubt that no data was exfiltrated. Without the tamper-resistant, time-synchronised logs, neither the rapid detection nor the evidence for the supervisory authority would have been possible.