Without logs, you cannot prove who accessed sensitive data, detect theft or misuse in real time, or investigate breaches after they happen. If a customer database is stolen and you cannot show which employees accessed it or when, regulators will assume negligence and you may face penalties under DPDP Act 2023. An Indian e-commerce business once lost customer payment details but had no logs—they paid ₹50 lakh in fines and lost 10 major clients who moved to competitors with better security records. Without logs, you also cannot comply with audit requests from banks, insurance companies, or government bodies.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no system logs enabled and no security event records. When something goes wrong, you have no way to trace what happened or who did it.
Initial
You have enabled basic Windows Event Logs or router logs on some devices, but they are not being saved or reviewed. Logs are overwritten after a few days and no one is checking them.
Developing
You are manually saving some logs (printing or copying) to a shared folder once a week. A basic spreadsheet tracks logins on the main server, but mobile and cloud services are not logged.
Defined
You have a central log storage system (like a simple syslog server or cloud backup) collecting logs from servers and key workstations. Logs are kept for 90 days and reviewed monthly for obvious anomalies.
Managed
Logs from all systems (servers, workstations, firewalls, cloud apps, VPN) flow automatically to a central system. Logs are retained for 1+ year and reviewed monthly; alerts trigger automatically for high-risk events like failed logins or file deletions.
Optimised
All logs are centralized, encrypted, and immutable (cannot be deleted). Real-time alerts notify you of security events; logs are retained for 3+ years and analyzed quarterly with correlation across all systems to detect patterns.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Enable Windows Event Logs on all servers and the main workstation. Go to Settings > Security & Maintenance > Windows Event Viewer and turn on Admin, Security, and System logs. For non-Windows systems, enable syslog. | IT person or system administrator | 1 day |
| 1 → 2 | Set up log retention: Configure Event Log to keep logs for at least 30 days instead of overwriting daily. Create a shared network folder with restricted access and export logs weekly to that folder. Document which systems are logging and what each log contains. | IT person | 1 week |
| 2 → 3 | Deploy a centralized log server (e.g., open-source Graylog or commercial Splunk) or use cloud logging (AWS CloudWatch, Azure Monitor). Configure all servers, routers, firewalls, and key applications to send logs to this central point. Retain logs for 90 days minimum. | IT person or external consultant | 2-4 weeks |
| 3 → 4 | Add automated alerting: Set up rules to trigger notifications (email or SMS) for failed login attempts, privilege escalation, major file deletions, or access to sensitive folders. Extend retention to 1 year and review logs monthly for patterns. Document alert thresholds and response procedures. | IT person or security specialist | 1-2 months |
| 4 → 5 | Implement log immutability (use append-only log storage or write-once storage), enable encryption at rest and in transit, extend retention to 3+ years, conduct quarterly log analysis to detect advanced threats, and conduct annual log management audits. Ensure logs are segregated from production systems so attackers cannot alter them. | Security architect or external specialist | Ongoing |
Documents and records that prove your maturity level.
- A list or diagram showing which systems are logging (servers, workstations, firewalls, routers, cloud services, VPN, printers)
- Log retention policy document stating how long logs are kept and where they are stored
- Evidence of centralized log storage: screenshots of dashboard, folder structure, or cloud console showing logs being collected
- A sample of actual logs from the past 30 days covering login events, admin actions, and security alerts with timestamps
- Log review records or audit trail showing that someone reviewed logs at least monthly and documented findings or issues discovered
Prepare for these questions from customers or third-party reviewers.
- "Show me where your system logs are stored and prove they have been retained for at least the past 90 days."
- "Which systems in your network are currently logging, and which are not? How do you know if a system is logging or not?"
- "Tell me about the last time you reviewed your logs. What did you find? Did you discover any security issues or suspicious activity?"
- "If I asked you to find out which employee accessed the customer database on a specific date and time, could you do that today? Show me how."
- "How would you detect if someone hacked an admin account and deleted files? Walk me through the evidence you would use."
| Purpose | Free Option | Paid Option |
|---|---|---|
| Centralized collection and storage of logs from all systems | Graylog (self-hosted, requires Linux server), ELK Stack (Elasticsearch, Logstash, Kibana), Splunk Free (limited to 500 MB/day, no alerting) | Splunk Enterprise (₹4-8 lakhs/year), Datadog (₹2-5 lakhs/year), Microsoft Azure Monitor (₹15,000-50,000/month depending on volume) |
| Simple log backup and basic analysis for small businesses | Windows Event Log Viewer (built-in), rsyslog (Linux), NXLog Community Edition | ManageEngine EventLog Analyzer (₹50,000-2 lakhs/year), Rapid7 InsightIDR (₹3-6 lakhs/year) |
| Automated alerts and notifications for security events | Graylog with custom rules, ELK Stack Alerting, open-source OSSEC (host-based intrusion detection) | Splunk Alert Manager (included in Enterprise), Wazuh Manager (₹1-2 lakhs/year for managed service) |
- Enabling logs but never reviewing them—logs are only useful if someone actually reads them and acts on findings. Many Indian MSMEs collect gigabytes of logs that nobody ever looks at, making them useless for security.
- Logs stored on the same server being attacked—if a hacker gains admin access, they can delete logs from the server itself. Logs must be sent to a separate, protected storage location or they provide no protection.
- Logs kept for too short a time—overwriting logs after 7 days means you miss advanced attacks that take weeks to notice. Regulators expect at least 90 days; best practice is 1+ year.
- Logging enabled but not documented—if you cannot explain what each log means, or you lose track of which systems are logging, logs become useless evidence. Maintain a simple spreadsheet listing all systems and what they log.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (processing of personal data) and Schedule 2 (accountability obligations)—organizations must maintain records of data processing activities and be able to demonstrate accountability |
| CERT-In 2022 | Directions 4.1.2 (logging and monitoring) and 4.1.8 (incident reporting)—critical infrastructure operators must maintain logs and ensure timely incident detection and reporting |
| ISO 27001:2022 | Annex A, A.5.23 (information security for supplier relationships) and A.8.15 (logging)—requires logging of user activities, exceptions, and security events with appropriate retention |
| NIST CSF 2.0 | Govern Function (GV) and Detect Function (DE)—GV.RO.191 (audit logging) and DE.AE.1 (system and network monitoring) require organizations to capture and retain logs for analysis |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →