Logging For Small Business Owners: What To Keep And Why

A Pensacola accounting firm called us after an employee reported suspicious activity: emails being sent from their account that they didn't write.

We asked: "What does your email audit log show?"

They didn't know. Microsoft 365 has detailed logs — who logged in from where, what actions they took, when — but they hadn't looked at them in years.

Three weeks of logs had already cycled off. We couldn't tell if this was a one-time phishing compromise or something that had been happening for months.

If they'd been reviewing logs weekly (or had alerts set up), they would have known immediately. Instead, we spent two weeks reconstructing events from partial data and had to assume the worst.

This is why logging matters.

What this solves (in real business terms)

Logs are records. They tell you who did what, when, and from where on your systems. When something goes wrong — a breach, unauthorized access, data loss — logs are your forensic trail.

Without logs, you're guessing. Did the attacker get in? Did they access customer data? Did they move laterally to other systems? You don't know.

With good logs, you can:

• Determine the scope of a breach
• Identify what data was accessed
• Create a timeline for incident response
• Provide evidence for insurance claims or legal proceedings
• Meet compliance requirements (if applicable)

What can go wrong

No logs being collected. Most SMB cloud services (Microsoft 365, Google Workspace, QuickBooks Online) have logging, but it's not always enabled by default. You might be losing logs automatically as they age off.

Logs kept too short. Microsoft 365 audit logs have a default 90-day retention on most plans. If an incident isn't discovered for 120 days, the evidence is gone.

Logs not being watched. Collecting logs and never reviewing them is like installing security cameras and never watching the footage. You need active monitoring or automated alerts.

No centralized log management. Logs spread across dozens of services (email, file storage, accounting software, CRM) with no unified view. During an incident, you're chasing down ten different vendor portals.

Not knowing what you have. Most businesses don't know what systems they're running, so they don't know what logs to collect. Shadow IT (unsanctioned tools your team uses) is invisible.

What it costs (honest ranges)

• Built-in logging (Microsoft 365, Google Workspace): Included in most business plans
• Extended log retention: $2-$5/user/month for 1-year retention in Microsoft 365
• Log aggregation tools (Splunk, Datadog, Microsoft Sentinel): Free to $20/device/month depending on volume
• Managed detection and response (includes log monitoring): $15-$40/user/month
• SIEM-lite for SMB (Halo Security, Arctic Wolf): $500-$2,000/month for small businesses

For most Gulf Coast SMBs, the answer is: use what you already have (Microsoft/Google logging), extend retention if needed, and enable alerts for critical events.

Vendor questions (copy/paste)

1. "Are audit logs enabled for our Microsoft 365/Google Workspace account? What's the retention period?"
2. "Who reviews these logs? Do we get alerted when something suspicious happens?"
3. "If we have a security incident, how do we pull logs to investigate?"
4. "What logs do we collect from other services — our accounting software, file storage, etc.?"
5. "Do we have visibility into what SaaS tools our employees are using (Shadow IT)?"

Minimum viable implementation

Step 1: Verify logging is enabled

Microsoft 365:

1. Go to Microsoft 365 Admin Center > Purview > Audit
2. Verify audit logging is turned on
3. Check your retention period (default is 90 days on most plans)

Google Workspace:

1. Go to Admin Console > Reporting > Audit
2. Verify audit logging is enabled

Step 2: Enable alert policies for critical events

Set up notifications for:

• Admin account login (especially from new locations)
• Mass deletion of files or emails
• New user accounts created
• Password changes on admin accounts
• Failed login attempts (multiple)

In Microsoft 365:

• Security & Compliance Center > Alerts > Alert policies
• Create custom alerts for the events above

Step 3: Set up a log review schedule

If you're not using managed monitoring, establish a weekly review:

• 15 minutes to check admin login history
• 15 minutes to spot-check for unusual activity
• Document what you reviewed and any findings

Step 4: Extend retention if you can

Microsoft 365 E3/E5: You can extend to 1 year. Worth the $2/user/month if you handle sensitive data.

Step 5: Inventory your critical services

Make a list of every service your business uses (cloud storage, accounting, CRM, etc.). For each, answer:

• Does it have logs?
• Who has access to the logs?
• How long are logs retained?
• Who reviews them?

When to hire help

Do it yourself if:

• You have fewer than 15 users
• You're comfortable checking audit logs weekly in Microsoft 365 or Google Admin
• Your data isn't highly sensitive

Get help if:

• You have 20+ employees or complex cloud environments
• You're in a regulated industry with specific log retention requirements
• You want 24/7 monitoring instead of weekly manual reviews
• You've had an incident and need someone to manage log collection and analysis
• You want someone to own the alert configuration and respond to suspicious activity