SecBox
🇮🇹
Logs & WORM

Immutable Logs Manual: How to Satisfy the NIS2 WORM Requirement

Practical guide to implementing immutable WORM logs in your company. Discover why they are essential for NIS2 compliance and how to protect them from deletion.

9 March 20262 min readSecBox Team
Immutable Logs Manual: How to Satisfy the NIS2 WORM Requirement

In summary: What are Immutable WORM Logs for NIS2? Immutable logs (WORM - Write Once Read Many) are digital records that cannot be modified or deleted after they are created. The NIS2 Directive explicitly requires secure log retention for at least 12 months. This prevents hackers from erasing their tracks after an attack and ensures valid evidence for audits and incident response.

For a European SME subject to NIS2, logs are no longer just ignorable "text files." They are the legal proof that the company has adopted adequate security measures. If you cannot demonstrate what happened through logs, the company is legally responsible for the incident.

Why Local Logs Are Not Enough

When a hacker gains administrator privileges on a Windows or Linux server, their first move is often to delete log files (event logs, syslog). If the logs reside only on the compromised machine, the evidence of the intrusion vanishes.

The WORM Architecture (Write Once, Read Many)

A secure architecture involves real-time log forwarding to an isolated remote server using deletion-proof storage.

The 3 requirements for secure logs:

  1. Centralization: Immediate forwarding to a dedicated log server.
  2. Immutability (WORM): Technically preventing any modification or overwriting.
  3. Certified Retention: Automatic storage for 12-24 months as required by EU standards.

How to Implement Immutable Logs in Your Company

1. Remote Syslog Configuration (Linux)

# Forward logs to a secure remote server
*.* @remote_log_server_ip:514

2. Event Forwarding Configuration (Windows)

Use the Windows Event Forwarding (WEF) service to send events to a central collector (WEC).

3. Hardware/Software Level Storage

Use solutions like AWS S3 Object Lock or specialized archiving software that implements immutability policies at the file system level.

The SecBox Shield "Zero-Effort" Solution

Setting up an immutable log infrastructure requires advanced sysadmin skills and high storage costs.

SecBox Shield includes as standard:

  1. Centralized Collector: We collect all your server logs for you.
  2. WORM Infrastructure: Logs are written to isolated storage that no one (not even us!) can delete before the retention period ends.
  3. Audit Ready: In case of a compliance audit, your logs are ready, intact, and valid as legal evidence.

Secure your NIS2 compliance with SecBox Shield

#immutable logs#worm#nis2#compliance#security#audit
Back to Blog

Related Articles

Logs & WORM

WORM Logs: How They Work and Why NIS2 Requires Them