Log Monitoring and SIEM Basics for Small Business

Logs are digital breadcrumbs that record what happens on your network:

failed login attempts, file access, configuration changes, malware detections, and more. But with thousands of log entries generated daily, reviewing them manually is impossible. Security Information and Event Management (SIEM) systems automatically collect, analyze, and alert on suspicious activity. This guide explains SIEM basics and how small businesses can implement log monitoring cost-effectively.

What Are Logs and Why Do They Matter?

Every device—servers, workstations, firewalls, printers, routers—generates logs. These logs contain a timestamped record of events.

Example log entries:

• 2026-05-28 14:30:15 User “jsmith” failed to authenticate (3rd attempt)
• 2026-05-28 14:32:42 File “payroll_2026.xlsx” accessed by user “bwilson”
• 2026-05-28 14:35:00 10,000 malicious packets blocked by firewall
• 2026-05-28 14:40:21 Administrator account password changed

Individually, these entries are unremarkable. Together, they tell a story. If “jsmith” fails authentication 50 times in one hour from an unusual location, that’s a brute-force attack. If “payroll_2026.xlsx” is accessed by someone outside accounting and copied to a USB drive, that’s potential data theft.

Without log monitoring, attacks go undetected for weeks or months. With proper monitoring, they’re caught in minutes.

What Is SIEM?

SIEM is software that:

1. Collects logs from all sources (firewalls, servers, workstations, cloud services)
2. Normalizes logs into a standard format (logs use different formats; SIEM translates)
3. Correlates events (connects related logs to identify patterns)
4. Alerts on suspicious activity (notifies you immediately of threats)
5. Stores and Indexes logs for investigation and compliance audits

Example: SIEM correlates a failed login attempt, a successful login from a new device, and a large file transfer into one alert: “Possible account compromise—new device detected, accessing sensitive files.”

SIEM vs. Log Aggregation

Newer small businesses often use simpler log aggregation tools (like Splunk, ELK Stack, or cloud logging) instead of full SIEM. The difference:

Log Aggregation: Collects and stores logs for manual review and searching. You define what to look for.

SIEM: Adds intelligence—built-in rules detect threats automatically. You’re alerted to problems without manually reviewing thousands of logs.

For small business, log aggregation is often sufficient initially. As you mature, upgrade to SIEM for automated threat detection.

Essential Logs to Monitor

Don’t try to monitor everything initially. Start with high-value logs:

1. Firewall Logs
Record all incoming and outgoing network traffic, blocked connections, and detected threats. Reveals attack attempts and data exfiltration.

2. Windows Event Logs (for AD/Domain)
Log all authentications, failed logins, privilege elevation, and system changes. Early detection of compromised accounts.

3. Cloud Access Logs
Track logins to Microsoft 365, Google Workspace, Okta, AWS, or other cloud services. Detect compromised credentials and unauthorized access.

4. File Server Access Logs
Record who accessed what files, when, and what actions they took (read, write, delete). Identify data theft.

5. Web Gateway/Proxy Logs
Track all websites visited by employees. Detect malware, phishing attempts, and unauthorized downloads.

6. Email Gateway Logs
Record all incoming and outgoing emails, attachments, and blocked messages. Detect phishing, malware distribution, and data leakage.

7. Antivirus/Endpoint Detection Logs
Report detections, blocked processes, and quarantined files. Indicates active malware or exploitation attempts.

8. Application Logs
Database access, user privilege changes, and configuration modifications. Detect unauthorized access or sabotage.

Low-Cost SIEM Options for Small Business

Option 1: Cloud Logging (AWS CloudWatch, Azure Monitor, Google Cloud Logging)
If you use cloud services, their native logging is free or inexpensive. Downside: limited correlation and no built-in threat intelligence.

Cost: Free to $500/month
Best for: Businesses already in cloud environments

Option 2: ELK Stack (Elasticsearch, Logstash, Kibana)
Open-source log aggregation. You collect and search logs yourself. Requires technical setup.

Cost: Free (if self-hosted) or $300-$500/month (managed)
Best for: Technically capable teams

Option 3: Splunk Cloud
Industry-leading SIEM with automated threat detection. More expensive but includes intelligence.

Cost: $2,000-$10,000+/month
Best for: Security-mature organizations with budget

Option 4: Microsoft Sentinel (if using Microsoft 365)
Cloud SIEM integrated with Windows, Azure, and Microsoft 365. Good value if already using Microsoft products.

Cost: $2-$5 per GB ingested
Best for: Microsoft-centric environments

Option 5: Open-Source SIEM (Wazuh, Osquery)
Free alternatives with basic correlation. Requires skilled administration.

Cost: Free (self-hosted) or $500-$2,000/month (managed)
Best for: Budget-constrained teams with IT support

Implementing Log Monitoring Step-by-Step

Step 1: Inventory Your Systems
List all devices that generate logs: firewalls, servers, cloud apps, email systems, workstations.

Step 2: Choose Your Tool
Start simple. Even basic log aggregation is better than no monitoring.

Step 3: Configure Log Collection
Most tools use agents or APIs to collect logs. Install agents on servers and workstations; configure APIs for cloud apps.

Step 4: Set Up Basic Alerts
Define rules for suspicious activity:

• 5 failed login attempts in 10 minutes = alert
• Malware detection = immediate alert
• Large file transfer to external location = alert
• Account added to admin group = alert

Step 5: Review and Tune**
Alert fatigue is real—too many false alarms cause you to ignore real threats. Review alerts weekly, adjust rules to reduce noise.

Step 6: Establish Retention Policy
How long do you keep logs? Compliance requirements vary:

• HIPAA: Minimum 6 years
• PCI DSS: Minimum 1 year
• GDPR: Minimum 3-6 months
• General best practice: 1-2 years

Responding to Log Alerts

When your system alerts on suspicious activity:

1. Verify the alert — Is it a real threat or a false positive?
2. Investigate — Review related logs to understand what happened
3. Respond — If threat confirmed, isolate affected systems, reset credentials, etc.
4. Document — Record what happened, when, and how you responded
5. Tune — Adjust alert rules to prevent false positives

Key Takeaways

• Logs provide evidence of what’s happening on your network; without monitoring, attacks go undetected
• SIEM automates log analysis and alerts on suspicious activity
• Start with high-value logs: firewall, authentication, cloud access, file access, email
• Begin with simple log aggregation; upgrade to SIEM as you mature
• Choose tools based on your infrastructure and budget (cloud logging, ELK, Sentinel, or Splunk)
• Set up basic alerts for high-risk activity
• Review and tune alerts monthly to reduce false positives
• Retain logs per compliance requirements (typically 1-2 years minimum)
• Establish an incident response process triggered by alerts

Log monitoring transforms reactive security (discovering breaches after the fact) into proactive security (detecting and stopping attacks in real time). Start simple, focus on high-value logs, and expand as your program matures.