Blog post

Learning to love logging

Created:  05 Jul 2018
Updated:  05 Jul 2018
Author:  Shane M
Learning to love logging

We have just published some guidance which highlights the importance of logging, and crucially, explains how to go about capturing the kind of data that's central to understanding and recovering from a cyber breach.

This guidance comes in response to feedback from our incident response teams and external consultation work, where it’s all too common to hear that organisations either aren't gathering any logs at all, or believe they are logging only to find out their system is broken or insufficient when an incident actually occurs.

Following a cyber incident, analysing log data is often the only way to identify how an attacker got onto a network and what their impact has been. An organisation facing a cyber attack with no stored logs will have to play catch up – deploying rapid changes to gather logs. This greatly lengthens the investigation time and reduces its effectiveness.


The audience for the guidance is relatively wide. It applies to small organisations without a logging system in place, trying to understand what's appropriate, just as it does to larger organisations wanting to validate the types of logs that feed their current security monitoring.

Everyone’s network and IT are different, so we avoid focusing too much on technology. For example, collecting DHCP logs is useful in an on-premise office setup, but irrelevant in a digital cloud service.

Incident questions

Following the guidance to develop your own logging system, you'll be equipped with the data you need for detailed post-event analysis. To achieve this, the guidance first considers the type of questions you may be asked during an incident, then suggests how you could answer them, given a varied set of IT systems.

With this logging capability in place, you'll also be able to develop an effective detection activities. And indeed, this will be the subject of future guidance.

All comments are welcome, as always. Please tell us what you think by commenting below, through our contact us page, or via your usual NCSC contact.


Shane M

Lead Security Architect for Security Monitoring



Leave a comment

Was this blog post helpful?

We need your feedback to improve this content.

Yes No