What it is
Logs record all the actions that people take when they access your website or server.
Why it matters
Logs can alert you to an incident early, so you can stop it before it goes too far. They are also a key part of understanding how an incident occurred and when it started. Knowing when an action happened and who took it means you can resolve incidents quicker and get back to business as usual.
Without logs enabled it can be harder to detect when an incident happens, or establish the full scope of the incident.
How to protect your business
If you're not sure how to implement these steps, ask an IT provider for help.
Set up logs and email alerts for unusual or unexpected events
Each content management system (CMS) offers different options for logging events. You can set the logs up to notify you about any unusual events by email. It's a quick and easy way to see when something's up. Consider creating an email account specifically for the notifications – that way you can make sure they don't end up buried under your other emails.
Some important events you should set logs up for include:
Successful logins to your CMS and any other hosting software you use
For example, you might have access to WordPress to manage the content on your website, and cPanel to manage your web server and database. You can set up a log to record and notify you each time someone accesses them.
Changes to the files on your CMS and any other hosting software you use
For a lot of businesses, these things don't change that often. Setting up a log will let you know if there are any changes made without your knowledge. For example, if someone puts malicious files on your system, the log will record the action and alert you to it.
Changes to your log configurations
These will rarely change. If they do, it could mean that someone has access to your system and was able to disable your logs. If you're not alerted to something like this, you won't know what's going on with your site behind the scenes.
You need to know if someone tries to access your account with an invalid username and password – but also if someone has a valid username and password without a second factor to authenticate it. Failing 2FA is a good sign that someone has gained access to your username and password details and you need to change them immediately.
Check and test your website every now and again
When an attacker gets access to a system, the first thing they'll often do is to disable logging. This makes their actions much harder to detect.
Every couple of months, check your log configurations and test them to see if they still work. Check the last modified date of the content and folders in your CMS too, and make sure none of your content has changed since the last time you updated it.
Set up notifications for software and patch updates
It's a good idea to set software updates to happen automatically as soon as they're released. If you don't, set up a notification to tell you when new updates are available. They often contain security fixes that you should install as soon as possible.
Have a way for people to contact you when things don't seem right
Have an easy way people can contact you if they see something unusual on your site – for example, an email address for whoever's best placed to respond to IT queries.
Your contact details should be both on your website and on the searchable domain name details database, WHOIS. This database is often used by IT to find contact details for businesses – and it's also our first port of call if we ever need to contact you.
Talk to your domain name provider about making sure your details are included.
There's more detailed information about logs on the CERT NZ website.
You can also report an online issue or security incident to us at CERT NZ.