Logging Screenshot Guide | Help Center

1. Purpose of This Guide

This evidence shows that your organisation has logging turned on for the key parts of your IT environment — systems, applications, security tools, and outbound proxies.

Why does this matter?
Because logs are the breadcrumb trail that helps you detect suspicious activity, investigate incidents, and prove what actually happened. Cyber Essentials 2025 clause A.6.4.H asks for this evidence to confirm that:

Logging is enabled,
Logs are being generated, and
You understand how to access them when needed.

You don’t need a full SIEM or a spaceship dashboard. You just need to show that logs exist and are working.

2. What You Will Submit

You may upload multiple screenshots, depending on the systems you use. Evidence must show active logs for:

Operating systems
- Windows Event Viewer
- macOS Console
- Linux syslog/journalctl
Applications
- Web apps, admin apps, internal systems
- Cloud apps with audit logs (Microsoft 365, Google Workspace, HRMS, etc.)
Security tools
- Endpoint Detection & Response (EDR) logs
- Anti-virus logs
- Firewall logs
- DNS filtering logs
Outbound proxies (if you use one)
- Secure web gateways
- DNS firewalls
- Web filtering tools

Each screenshot should clearly show timestamped entries proving that logs are active and recent.

3. How to Collect / Obtain / Generate This Evidence

Below are concrete examples for the most common tools small businesses use. You may need to upload as many types of logs as you have access to, to show full compliance.

A. Operating System Logs

Windows

Open Event Viewer
Go to: Windows Logs → Security / System / Application
Take a screenshot showing:
- Recent timestamps
- Log source
- Event IDs

macOS

Open Console
Select System Reports or Log Reports
Screenshot the log entries with date/time visible

Linux

Run: journalctl -xe or tail -n 100 /var/log/syslog
Screenshot the terminal showing entries with timestamps

B. Application Logs

Pick any business-critical application your organisation uses:

Microsoft 365

Go to Compliance Portal → Audit
Search for recent events
Take a screenshot of the audit results

Google Workspace

Go to Reports → Audit → Admin / Drive / Login
Screenshot the log entries

Business Critical ApplicationsL HRMS / Payroll Tools

Open Audit Logs / History panel (if available)
Screenshot recent events

C. Security Tool Logs

Endpoint Detection & Response (EDR)

For StrongKeep Customers, we will generate logs for the EDR on your behalf.

(e.g., Cortex XDR, CrowdStrike, Defender for Endpoint)

Screenshot should show:

Alerts
Events
Detection logs
Device activity

D. Outbound Proxy or DNS Filtering Logs

If you use outbound filtering:

DNS Firewall (e.g., Control-D)

Screenshot the logs showing:

Blocked malicious domains
DNS queries
Timestamps

Secure Web Gateway / Proxy

Show any of the following:

Web access logs
Blocked request logs
Policy enforcement logs

If your organisation does not use a proxy, this category may simply be omitted — the clause allows for non-applicability in smaller environments.

4. Evidence Format

Accepted File Types:

Suggested Naming Convention:
YourCompanyName_LoggingScreenshots_YYYY-MM-DD_S1
(add S2, S3, etc. for multiple systems)

Example:
AcmeClinic_LoggingScreenshots_2025-03-04_SecurityTools.png

5. What “Good” Looks Like

A strong submission includes:

Multiple log sources
OS logs + application logs + security tools (at minimum)
Clear timestamps
Showing events within the past 30 days
Readable entries
Event type, description, user/device, source
Evidence of active logging
Not an empty or disabled log screen
Screenshots with context
Tool name, tab name, or URL visible if applicable

Why this matters: auditors want to verify logging is real, recent, and covers enough systems to help detect unauthorised activity.

6. Tips

Don’t overthink it.
Logs don’t need to be fancy — they just need to exist.
Redact sensitive IP addresses or usernames if needed.
If you have no proxy logs, that’s fine — this clause is not mandatory for all setups.