Logging

Logs are the raw material for monitoring, detection, and forensics. Centralize them off-host (to a SIEM), because local logs are the first thing an attacker deletes to cover tracks, and synchronize clocks with NTP so events from different sources can be correlated into a timeline. Retention policy then balances compliance mandates, storage cost, and how far back investigations need to reach.