Skip to main content
The logs you’ll wish you had configured if (when) you are breached… 
  • Breach Handling
  • DFIR

The logs you’ll wish you had configured if (when) you are breached… 

Nicole Downing

17 Oct 2025 7 Min Read

TL;DR 

  • Logs of various types are invaluable sources of evidence in incident response.  
  • Windows Event Logs: Ensure Security.evtx and System.evtx have increased sizes with archiving enabled and appropriate retention policies.  
  • Download and install Sysmon from Microsoft’s Sysinternals suite to capture additional system activity such as processes, network connections and file/registry changes.  
  • Enable VPN logging to track who connects, when and from where.  
  • Actively monitor your anti-virus/EDR logs and retain for extended periods.  
  • Consider enabling logging for individual and custom applications. Ensure logging of errors, exceptions and critical business actions. 
  • Ensure you have extended retention periods in case of an incident.  
  • If you can, centralise your logging. If you can’t, forward logs for retention. 

Introduction  

When responding to an incident, logs provide a vital record of events within a system and serve as a critical source of evidence during an incident investigation. They help identify what happened, where, when, and by whom. 

With complete and well-configured logging, investigators can quickly reconstruct events such as unauthorised access or large data transfers and identify affected systems, users, and data. 

For example, you check your emails one morning and find a ransom note that your company’s data is being held hostage. In a well-prepared environment, your incident response team can immediately pull logs: The Windows Event Logs show clear authentication attempts, Sysmon traces the attacker’s process chain, and anti-virus logs confirm where the payload was quarantined. 

However, if you’re just starting out and want to protect your organisation, logging can seem overwhelming. With the numerous types of logs available, where would be the best place to begin? 

The short answer is that it depends on your organisation’s environment and which systems are in place.  

For this reason, we’ve chosen to keep it simple and discuss 5 types of logging which we think will apply to most organisations.  

  1. Windows event logs 

Windows Event Log files (EVTX) are enabled by default on Windows systems and use a default configuration for logging system, security, application and event data. This default configuration determines which events are logged, for how long, the capacity sizes of logs, and what happens when a log reaches its maximum size. You’ll need to consider adjusting policies, log sizes and retention settings to suit your organisation’s needs.  

It is likely that an internal conversation will be required to decide upon maximum log sizes, given that there are various implications to consider, such as storage costs and compliance requirements. However, we would recommend that the maximum size for Security.evtx should be set to at least 1GB to avoid the possibility that critical events are overwritten. As with the configuration of most logs, these limits will be dependent on a few factors, such as the size of the business. For a small organisation with only a handful of users, a smaller limit would suffice, along with appropriate retention policies.  

In line with this, it is recommended that you select to ‘archive logs when full’ and retain these for an agreed period, rather than the alternative option of overwriting once full. These changes can be made via Windows Event Viewer by right clicking a log and selecting ‘Properties’. 

If cost implications are a limiting factor for your organisation when making these decisions, it would be wise to prioritise the increased size and retention of Security.evtx and System.evtx and use event filtering to forward only the most critical logs, such as failed logon attempts and the escalation of account privileges, into a SIEM (if you have one!).  

  1. Sysmon (system monitor)  

Here’s one that, as investigators, we hardly ever see in the wild, despite it being an invaluable source of evidence in incident response investigations.  

Sysmon is a tool from Microsoft’s Sysinternals suite that extends the Windows Event Log with detailed system activity logs, making it highly useful for security monitoring and threat detection by capturing activities that are not available through standard Windows event logging.  

Examples of these additional activities include: 

  • Process creation with command-line arguments. 
  • File creation, modifications, and deletions. 
  • Registry changes. 
  • Network connections. 

Sysmon allows for enhanced threat detection by providing visibility into both process and network activities, which helps us in identifying malicious behaviours, such as the execution of malicious scripts, abnormalities in network connections and unauthorised changes to system files and/or registry keys, as well as providing vital forensic artefacts such as hashes of executed files and timestamps for logged events.  

Sysmon logs can also be ingested into a SIEM solution, if you have one, which allows for the correlation of data with other data sources.  

Best of all, it’s free to use! Sysmon is a valuable tool in building a robust security posture for your environment.  

  1. VPN 

Despite being required to comply with various regulations, VPN logging can also provide a critical source of evidence when it comes to detecting unauthorised access to your network by tracking not only who is connecting but also when and from where. This is crucial information for detecting abnormalities, such as logons outside of typical working hours or logon attempts from suspicious or unexpected locations. Without adequate logging, it may be impossible to tell who connected, let alone when and from where.  

  1. Antivirus/EDR 

You’re probably thinking, “Of course we have antivirus software!”, but how often and how closely do you monitor the logs? 

Antivirus (AV) logs can be another valuable source of information for investigators, providing information surrounding a wide range of security events and, when used properly, can significantly improve the ability to detect, analyse and respond to an incident.  

Should you become the victim of a security incident, these logs will provide invaluable information, such as:  

  • Timestamps 
  • Event Types 
  • Malware Signatures  
  • File path & hash  
  • Process/Executable  
  • Implicated user & device 
  • Any action taken by the AV software 

Configure your AV software to enable detailed logging and be sure to store logs for an extended period to allow for retrospective analysis. It’s all well and good having AV software, but you’ve lost a valuable source of information if the logs have been and gone by the time it comes to an investigation!  

Last but certainly not least, you need to be actively monitoring your AV logs. With detailed logging, extended retention periods and active monitoring, you can significantly enhance your business’ incident response capabilities and detect potential threats sooner.  

  1. Application logs 

Application logs store a record of events which are generated by various applications. Not only are these useful in troubleshooting performance issues, but they can also be helpful in detecting unauthorised access.  

When configuring application logs, do consider: 

  • Logging errors and exceptions 
  • Keeping record of any business-critical actions (think financial transactions, for example) 
  • The varying importance of individual event types – particularly user logons (including failed logons!), configuration changes, API requests, etc.  

Conclusion 

In the case of an attack, logs will allow responders to see who did what, and when. Aside from enabling investigators to identify the root cause of an attack, the presence of error messages will aid in leading investigators to the source of the issue, allowing for a faster recovery time for your business. 

Configuration is key! If you log too little, you’ll be missing vital information. If you log too much, you’ll face storage issues and unnecessary noise.  

Last but by no means least… if you can, centralise your logging! Use a SIEM solution if you have one, as this will allow the correlation of various data sources. Otherwise, ensure that you set up some form of log forwarding from endpoints to ensure that you don’t lose visibility in case of an incident.  

Review your logging configuration today – before you need it!