Log Retention and SIEM Data Sources for Texas SMBs in 2026

May 20, 2026
7 sections
Cyber SecurityIT Services
Security operations center with multiple monitors
Photo: Sigmund on Unsplash

You cannot investigate what you did not log. The right log sources and retention periods are the foundation of detection and incident response — and a common audit failure point.

01

Introduction

When an incident happens, the first question responders ask is "what do the logs show?" — and the most common, most painful answer at an under-prepared SMB is "we don't have those logs." You cannot investigate, contain, or learn from what you never recorded. Log management is the unglamorous foundation that SIEM and MDR are built on.

02

The Log Sources That Actually Matter

You do not need every log — you need the ones that tell the attack story:

  • Identity / authentication — Entra ID sign-in and audit logs are the single most valuable source. Most modern attacks pivot through identity (see ITDR).
  • Endpoint / EDR — process execution, PowerShell, and Defender alerts
  • Email / Microsoft 365 — message trace, mailbox audit, and the unified audit log (mailbox rule creation is a key BEC signal)
  • Network / firewall — allowed and denied flows, especially east-west and outbound to new destinations
  • DNS — resolution logs catch C2 and exfiltration (see protective DNS)
  • Server and application — domain controllers, file servers, and line-of-business apps
  • Cloud / SaaS — admin and data-access logs for critical SaaS
03

Retention: How Long Is Long Enough

The hard truth about dwell time: attackers often sit in an environment for weeks before acting. If your logs only go back 30 days, you may be unable to reconstruct how a months-old intrusion began.

  • Hot / searchable — 90 days minimum for active investigation
  • Warm / archived — 12 months for most SMBs; longer for regulated data
  • Regulatory minimums — HIPAA effectively expects 6 years for some records; PCI-DSS requires 1 year (3 months immediately available); CMMC/NIST 800-171 require audit log retention
04

Controlling SIEM Cost

SIEM pricing is usually volume-based, so naive "log everything forever" gets expensive fast. Control cost by tiering: high-value sources (identity, endpoint, email) go to the hot SIEM tier; high-volume low-value sources (verbose firewall allows) go to cheap archive storage queryable on demand. Microsoft Sentinel's basic/auxiliary log tiers and data collection rules make this practical — see Sentinel deployment.

05

Logs Are Useless Without Someone Watching

Collection and retention enable investigation, but detection requires monitoring. That is the role of MDR — a 24/7 team turning log signals into contained incidents. Logs nobody reads only help after the damage.

06

Where to Start

Turn on the Microsoft 365 unified audit log and Entra sign-in logs today (free, often off by default), set 90-day hot / 12-month archive retention, then route them into monitoring. See cybersecurity services.

07

Geographic Coverage

Back to Blog
Keep Reading

Related Articles

LayerLogix

Secure Remote Access for Texas SMBs: Beyond the Legacy VPN in 2026

Flat VPN access that drops remote users onto the corporate network is a liability. Modern secure remote access is identity-based, least-privilege, and device-aware. Here is the migration path.

Read More
LayerLogix

Mobile Device Security for Texas SMBs in 2026

Phones and tablets now hold as much corporate access as laptops, but are often left out of the security program entirely. Here is how to bring mobile into your defenses.

Read More
LayerLogix

Third-Party Vendor Risk Management for Texas SMBs in 2026

Your security is only as strong as your vendors with access to your data and systems. Supply-chain compromise is now a primary attack path. Here is practical vendor risk management for SMBs.

Read More

Need Expert IT Support?

Let our team help your Houston business with enterprise-grade IT services and cybersecurity solutions.

Get in TouchView Services