What is the purpose of logging and what should be included in logs for Annex B?

Logging captures what happens in the system so you can monitor activity, diagnose problems, and support investigations. For Annex B, the most effective logs include enough detail to reconstruct events: a precise timestamp, the source of the event, the type of event, the user ID involved, the outcome (success or failure), and measures to protect the log against tampering (integrity protections such as tamper-evident storage, digital signatures, and strict access controls). This combination creates a trustworthy audit trail that supports incident response, compliance checks, and forensic analysis. Logs should be collected in a centralized, protected location with appropriate retention policies and protections to prevent modification or loss. Including user IDs and other relevant identifiers is important for accountability, and protecting the logs ensures that investigators can rely on the information when tracing events. The other options run contrary to these goals: treating logs as irrelevant, excluding user IDs, or storing logs only on local devices undermines traceability, integrity, and resilience.