Centralized logging and a functioning Security Information and Event Management (SIEM) capability are core requirements of Compliance Framework ECC – 2 : 2024 Control 2-12-2; this post explains what that control expects, gives a small-business implementation path, and supplies concrete technical details and audit-ready evidence you can use to demonstrate compliance.
What Control 2-12-2 requires (high level)
Control 2-12-2 in the Compliance Framework mandates collection, retention, and active monitoring of security-relevant logs from critical assets so that incidents can be detected, investigated, and remediated. For practical purposes this means: identify required log sources, centralize log ingestion, normalize events for correlation, retain logs for a defined period, tune detection rules, and produce evidence (config files, dashboards, alerts, retention policies) for auditors. The objective is timely detection of anomalous activity and demonstrable investigatory capability.
Key log sources and data elements
A compliance-focused logging program must include at minimum: authentication and authorization events (Windows Security, Linux auth logs, cloud IAM), network device logs (firewalls, VPN gateways, switches), proxy and web gateway logs, endpoint events (process creations, EDR alerts), application logs (especially authentication and transaction errors), and system integrity logs. Each event should capture timestamp (NTP-synchronized), source IP/hostname, user/identity, event type and result, and process or application metadata. Use standardized formats where possible (CEF, LEEF, or JSON) to ease normalization in the SIEM.
Step-by-step implementation for a small business
1) Inventory and prioritize: catalog assets and map which must send logs to the SIEM (domain controllers, firewalls, VPN, cloud consoles, critical servers, and web applications). 2) Choose a collector/SIEM: small businesses often deploy Elastic Stack + Filebeat + Wazuh, Graylog, or a hosted option like Splunk Cloud or Microsoft Sentinel to avoid heavy ops. 3) Configure forwarding: use Windows Event Forwarding or Winlogbeat for Windows, Filebeat or syslog-ng for Linux, and configure network devices to forward syslog over TLS to the collector. 4) Secure transport and storage: enable TLS 1.2+, mutual auth where possible, encrypt log storage, and configure role-based access to the SIEM. 5) Normalize and parse: define parsers for each log type, map to a common schema (timestamp, hostname, username, event_id, severity), and index with clear retention tags. 6) Create detection rules and playbooks: start with high-value detections (multiple failed logins, new admin user creation, lateral movement indicators) and implement simple automated alerts that create tickets or notify Slack/email. 7) Test and validate: simulate common incidents (failed logins, privileged account creation) and confirm alerts and forensic searchability. 8) Document retention and runbooks: publish a retention schedule (e.g., 90 days hot search, 12 months archived) and an incident response playbook tied to SIEM alerts.
Technical configuration details and examples
Example small-business setup: Elastic Stack + Filebeat + Wazuh Manager. Install Filebeat on Linux servers and servers you control; configure filebeat.yml to point to Logstash/Elastic endpoint with TLS and basic auth. For Windows, deploy Winlogbeat to forward System/Security/Application channels. For firewalls and network devices, configure syslog over TLS to the Graylog/GELF endpoint or a syslog-ng collector. Ensure time sync with NTP on all hosts. In the SIEM, implement parsing rules: map Windows Security event ID 4625 to failed authentication, extract user, source IP, and failure reason; map firewall accept/drop to source/destination/port. Create correlation rule: if a user has 10 failed logins from 3 different IPs within 10 minutes, trigger a high-priority alert. Maintain an index lifecycle policy: 90 days on hot nodes, 10 months on warm, then freeze to S3-compatible storage for year-long retention; document this in your retention policy evidence package.
Evidence for auditors and compliance tips
Auditors will want concrete artifacts: a log-source inventory, sample forwarding configs (Winlogbeat/filebeat.yml, firewall syslog config), SIEM rule definitions and screenshots of tuned detections, retention policy documents, system time synchronization evidence, and incident records showing a triggered alert and the subsequent investigation. Keep a "compliance pack" directory that includes: (a) architecture diagram, (b) list of enabled log sources with sample events, (c) retention policy and index lifecycle settings, (d) screenshots of dashboards and alerts, and (e) at least one incident playbook with a completed incident ticket. Run quarterly log-collection health checks and store their reports as recurring evidence.
Risks and consequences of non-implementation
Without centralized logging and SIEM, a small business risks undetected breaches, slow or failed incident response, inability to perform root-cause investigations, and failure to meet legal or contractual obligations. Practically, this can lead to data exfiltration remaining unnoticed for months, inability to prove what data was accessed during an incident, regulatory fines, and loss of customer trust. From an operations standpoint, troubleshooting outages becomes slower and resolution times increase because historical context is scattered or missing.
Best practices: tune detection rules to reduce false positives, maintain runbooks for each high-priority alert, ensure immutable storage or WORM for at least a portion of logs critical to investigations, periodically test retention restores, and integrate SIEM alerts with your ticketing and escalation systems. Use role separation so only authorized personnel can modify detection rules or retention settings, and automate health checks for log forwarding (agent heartbeat metrics) with alerting when a source stops sending data. Finally, keep capacity planning aligned with growth forecasts—indexing rates can grow quickly once application logs and verbose debug logs are onboarded.
In summary, meeting Compliance Framework ECC – 2 : 2024 Control 2-12-2 for centralized logging and SIEM is achievable for small businesses by prioritizing critical log sources, deploying a supported collector and SIEM (open-source or hosted), securing transports and storage, mapping logs to a common schema, implementing and testing detection rules, and packaging clear evidence for auditors; doing so reduces detection time, strengthens investigations, and significantly lowers compliance and operational risk.
