One of the unique challenges in collecting host evidence and storing it in a single system is finding a balance between logging too little and too much. Logging too little means the SOC/CSIRT could miss critical information that can be used to detect attackers and other malicious activity. Logging too much can cause log storage to become an issue, and critical information can be missed in a large number of events. Find a logging configuration guide or cheat sheet for Windows or Linux. Provide a link to the guide and summarize its recommendations.

1. Why do you think the recommendations have been made?
2. What types of information would be collected given the recommended log/audit settings?
3. Do you think these recommendations would provide too much information or not enough? Why?
4. Estimate the daily number of events/storage required if you had 10,000 endpoints generating data given the recommended logging settings. How much storage may be required? How long do you think you would be able to retain logs (days, months, years)?
5. We've talked about network logs and data, endpoint logs, and data. What other logs and data might we be missing? Are there configuration guides for those?