Review and update logged events.

By maintaining a list of security logs you want to collect you can optimize your audit logging program. You save storage space and can reduce log fatigue for security personnel who need to review the logs. You should update your list to reflect the threats and incidents you encounter in your company. Updating your list of collected logs is a good idea after a security incident as collecting more logs may have helped identify the incident earlier.

Document the list of security related logs that your organization should capture. Examples include user logins, password changes, group membership changes, and account creations. What you collect may change for each system. For a VPN you may also want to collect information on the users who connect to your system. Periodically (e.g. annually) review this list to determine if you are collecting the correct logs to identify security incidents. You may also identify logs that you do not need to collect. You may decide to omit these to prioritize storage for more important logs.