Security Logging und Log-Management
Systematic recording of security-related events in IT systems. The foundation for attack detection, forensics, and compliance verification. Without logging, incident response is blind—attackers can operate undetected.
Security logging is the recording of security-related events—logins, file changes, network connections, errors, and administrative actions. Log management encompasses the collection, normalization, storage, analysis, and retention of these logs.
Why logging is critical
Without logging:
- An attacker remains undetected for 194 days (IBM 2024 average)
- After an incident: no forensic trail, no liability documentation
- Compliance proof impossible (GDPR Art. 5, NIS2 Art. 21)
What needs to be logged?
Must-Have Log Sources
Active Directory / Entra ID:
Event ID 4624: Successful login
Event ID 4625: Failed login
Event ID 4720: New user account created
Event ID 4728: Member added to privileged group
Event ID 4769: Kerberos service ticket (Kerberoasting detection)
Event ID 7045: New service installedNetwork (Firewall/Proxy):
All outbound connections to new/unknown domains
Connection attempts to blocked IPs
Port scans and connection anomalies
DNS queries (for C2 detection)Endpoint (EDR/Windows):
Process launches (which parent processes? Suspicious combinations?)
PowerShell script block logging (content of each PS script)
Registry changes in startup keys
File creation in temp directoriesCloud (Azure AD, AWS CloudTrail):
All API calls in AWS/Azure
Admin activities
Configuration changes
Access to sensitive resources (S3 buckets, Key Vault)Log Management Architecture
Log sources Log aggregation Analysis
─────────── ────────────── ───────
Firewall ──────────→ Log shipper (Beats) → SIEM (Elastic/Splunk/Sentinel)
AD ──────────→ Syslog/WEF → Correlation rules
EDR ──────────→ API → Dashboards
Cloud ──────────→ Event Hub/Kinesis → AlertingLog Shipper Options
- Elastic Beats (Filebeat, Winlogbeat, Metricbeat) - Open Source
- Fluentd / Fluent Bit - Cloud-native, Kubernetes
- Splunk Universal Forwarder - for Splunk environments
- Windows Event Forwarding (WEF) - native, Windows to Windows
Retention Periods
| Compliance | Minimum Retention |
|---|---|
| GDPR Art. 5 (Accountability) | As long as processing takes place |
| BSI IT-Grundschutz DER.1 | 6–12 months (recommended) |
| NIS2 Art. 21 | No explicit period, but "verifiable" |
| PCI DSS 10.7 | 12 months (at least 3 months immediately available) |
| SOC2 | 90 days immediately available |
| GoBD (tax logs) | 10 years |
Practical recommendation: 90 days hot (quickly searchable), 1 year warm, 7–10 years cold (compliance).
What MUST NOT be logged
- Passwords (obviously: never)
- Full credit card numbers (PCI DSS)
- Personal data without necessity (GDPR)
- Session tokens (an attacker could take over the session if logs are stolen)
Pseudonymization of user data in logs where possible (IP hashing, user ID instead of name).
Setting up Windows PowerShell logging
PowerShell is the most popular attack tool in the Windows environment. Full logging is essential:
# Via GPO: Computer Configuration → Administrative Templates → Windows Components → PowerShell
# Script Block Logging (content of every executed script)
# Registry:
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" `
-Name "EnableScriptBlockLogging" -Value 1
# Module Logging (which modules were loaded)
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging" `
-Name "EnableModuleLogging" -Value 1
# Transcription (Complete session log)
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" `
-Name "EnableTranscripting" -Value 1Event ID 4104: Script Block Logging - displays complete PowerShell code, including obfuscated attacks after de-obfuscation.
SIEM Integration: Logs Alone Are Not Enough
Logs without correlation are data graveyards. SIEM rules transform logs into insights:
Alert: "Possible Kerberoasting"
Rule: Event ID 4769 (TGS request) with Rc4 encryption
more than 20 times in 2 minutes
from the same account
→ Immediate alert to SOC analystMost affordable options: Microsoft Sentinel (included for M365 environments, or starting at ~$1/GB), Elastic Security SIEM (open source), Wazuh (open source, self-hosted).
