CDPSE · Question #207
Which of the following is considered a best practice with regard to event logging?
The correct answer is B. Transmit all event logs to a central log server.. Transmitting event logs to a central log server is a security best practice because it protects log integrity - if a system is compromised, an attacker can't tamper with or delete logs stored on a separate server, ensuring forensic evidence remains intact for incident response an
Question
Which of the following is considered a best practice with regard to event logging?
Options
- ARetain all event logs on the systems that create them.
- BTransmit all event logs to a central log server.
- CSuppress the creation of event logs on all systems.
- DEncrypt all event logs on the systems that create them.
How the community answered
(51 responses)- A2% (1)
- B92% (47)
- C4% (2)
- D2% (1)
Explanation
Transmitting event logs to a central log server is a security best practice because it protects log integrity - if a system is compromised, an attacker can't tamper with or delete logs stored on a separate server, ensuring forensic evidence remains intact for incident response and auditing.
Why the distractors fail:
- A - Keeping logs only on the originating system creates a single point of failure; a compromised or crashed system can destroy the evidence you need.
- C - Suppressing log creation is the opposite of good security posture; logs are essential for detecting, investigating, and recovering from incidents.
- D - Encrypting logs locally adds some confidentiality but doesn't protect against the system being wiped or compromised - you still lose the logs.
Memory tip: Think "centralize to surveil" - the whole point of logging is visibility and accountability, and a central log server (like a SIEM) gives you both while keeping logs out of attackers' reach.
Topics
Community Discussion
No community discussion yet for this question.