Back

Copy logs from all predefined hosts onto a log management infrastructure.


CONTROL ID
01346
CONTROL TYPE
Log Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a log management program., CC ID: 00673

This Control has the following implementation support Control(s):
  • Identify hosts with logs that are not being stored., CC ID: 06314
  • Identify hosts with logs that are being stored at the system level only., CC ID: 06315
  • Identify hosts with logs that should be stored at both the system level and the infrastructure level., CC ID: 06316
  • Identify hosts with logs that are being stored at the infrastructure level only., CC ID: 06317


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • A centralised logging facility is implemented and systems are configured to save event logs to the centralised logging facility as soon as possible after each event occurs. (Security Control: 1405; Revision: 1, Australian Government Information Security Manual, March 2021)
  • Privileged access event logs are stored centrally. (Control: ISM-1651; Revision: 1, Australian Government Information Security Manual, June 2023)
  • Privileged account and group management event logs are stored centrally. (Control: ISM-1652; Revision: 1, Australian Government Information Security Manual, June 2023)
  • Break glass event logs are stored centrally. (Control: ISM-1715; Revision: 1, Australian Government Information Security Manual, June 2023)
  • Application control event logs are stored centrally. (Control: ISM-1663; Revision: 1, Australian Government Information Security Manual, June 2023)
  • PowerShell event logs are stored centrally. (Control: ISM-1665; Revision: 1, Australian Government Information Security Manual, June 2023)
  • Operating system event logs are stored centrally. (Control: ISM-1747; Revision: 1, Australian Government Information Security Manual, June 2023)
  • Microsoft Office macro event logs are stored centrally. (Control: ISM-1678; Revision: 1, Australian Government Information Security Manual, June 2023)
  • Microsoft AD DS event logs are stored centrally. (Control: ISM-1831; Revision: 0, Australian Government Information Security Manual, June 2023)
  • Multi-factor authentication event logs are stored centrally. (Control: ISM-1684; Revision: 1, Australian Government Information Security Manual, June 2023)
  • Web application event logs are stored centrally. (Control: ISM-1757; Revision: 1, Australian Government Information Security Manual, June 2023)
  • Database event logs are stored centrally. (Control: ISM-1758; Revision: 1, Australian Government Information Security Manual, June 2023)
  • Gateway event logs are stored centrally. (Control: ISM-1775; Revision: 1, Australian Government Information Security Manual, June 2023)
  • Web proxy event logs are stored centrally. (Control: ISM-1777; Revision: 1, Australian Government Information Security Manual, June 2023)
  • Unprivileged access event logs are stored centrally. (Control: ISM-1714; Revision: 1, Australian Government Information Security Manual, June 2023)
  • A centralised event logging facility is implemented and event logs are sent to the facility as soon as possible after they occur. (Control: ISM-1405; Revision: 3, Australian Government Information Security Manual, June 2023)
  • MFD event logs are stored centrally. (Control: ISM-1856; Revision: 0, Australian Government Information Security Manual, June 2023)
  • CDS event logs are stored centrally. (Control: ISM-1776; Revision: 1, Australian Government Information Security Manual, June 2023)
  • Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration Protocol version 6 in a stateful manner with lease data stored in a centralised event logging facility. (Control: ISM-1430; Revision: 3, Australian Government Information Security Manual, June 2023)
  • Privileged access event logs are stored centrally. (Control: ISM-1651; Revision: 1, Australian Government Information Security Manual, September 2023)
  • Privileged account and group management event logs are stored centrally. (Control: ISM-1652; Revision: 1, Australian Government Information Security Manual, September 2023)
  • Break glass event logs are stored centrally. (Control: ISM-1715; Revision: 1, Australian Government Information Security Manual, September 2023)
  • Application control event logs are stored centrally. (Control: ISM-1663; Revision: 1, Australian Government Information Security Manual, September 2023)
  • PowerShell event logs are stored centrally. (Control: ISM-1665; Revision: 1, Australian Government Information Security Manual, September 2023)
  • Operating system event logs are stored centrally. (Control: ISM-1747; Revision: 1, Australian Government Information Security Manual, September 2023)
  • Microsoft Office macro event logs are stored centrally. (Control: ISM-1678; Revision: 1, Australian Government Information Security Manual, September 2023)
  • Microsoft AD DS event logs are stored centrally. (Control: ISM-1831; Revision: 0, Australian Government Information Security Manual, September 2023)
  • Multi-factor authentication event logs are stored centrally. (Control: ISM-1684; Revision: 1, Australian Government Information Security Manual, September 2023)
  • Web application event logs are stored centrally. (Control: ISM-1757; Revision: 1, Australian Government Information Security Manual, September 2023)
  • Database event logs are stored centrally. (Control: ISM-1758; Revision: 1, Australian Government Information Security Manual, September 2023)
  • Gateway event logs are stored centrally. (Control: ISM-1775; Revision: 1, Australian Government Information Security Manual, September 2023)
  • Web proxy event logs are stored centrally. (Control: ISM-1777; Revision: 1, Australian Government Information Security Manual, September 2023)
  • Unprivileged access event logs are stored centrally. (Control: ISM-1714; Revision: 1, Australian Government Information Security Manual, September 2023)
  • A centralised event logging facility is implemented and event logs are sent to the facility as soon as possible after they occur. (Control: ISM-1405; Revision: 3, Australian Government Information Security Manual, September 2023)
  • MFD event logs are stored centrally. (Control: ISM-1856; Revision: 0, Australian Government Information Security Manual, September 2023)
  • CDS event logs are stored centrally. (Control: ISM-1776; Revision: 1, Australian Government Information Security Manual, September 2023)
  • Dynamically assigned IPv6 addresses are configured with Dynamic Host Configuration Protocol version 6 in a stateful manner with lease data stored in a centralised event logging facility. (Control: ISM-1430; Revision: 3, Australian Government Information Security Manual, September 2023)
  • The organization must develop a hardened Standard Operating Environment for servers and workstations that includes configuring remote logging or transferring local log events to a central server. (Control: 0380 Bullet 7, Australian Government Information Security Manual: Controls)
  • The database event logs should be logged to a secure logging server, so they are centrally located. (Control: 1280, Australian Government Information Security Manual: Controls)
  • The organization must configure the system to save the event logs to a separate secure log server. (Control: 1344, Australian Government Information Security Manual: Controls)
  • The organization should save the event logs to separate secure log servers as soon as possible after the event occurs. (Control: 0587, Australian Government Information Security Manual: Controls)
  • The organization must ensure gateways that connect networks from different security domains are operated and maintained by configuring the event logs to be saved to a separate secure log server. (Control: 0634 Bullet 3, Australian Government Information Security Manual: Controls)
  • Verify that logs for external-facing technologies (for example, wireless, firewalls, Domain Name Servers, mail) are offloaded or copied onto a secure centralized internal log server or media. (§ 10.5.4, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Interview System Administrators and examine system configurations and permissions to verify audit logs for external-facing technologies are written onto a secure, centralized, internal log server or media. (Testing Procedures § 10.5.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • The organization must ensure audit trails are written onto a log server. (§ 10.5.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Verify that logs for external-facing technologies (for example, wireless, firewalls, DNS, mail) are offloaded or copied onto a secure centralized internal log server or media. (§ 10.5.4 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Audit logs for external-facing technologies must be written onto a secure, centralized, internal log server or media device. (PCI DSS Requirements § 10.5.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Write logs for external-facing technologies onto a secure, centralized, internal log server or media device. (10.5.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Write logs for external-facing technologies onto a secure, centralized, internal log server or media device. (10.5.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Write logs for external-facing technologies onto a secure, centralized, internal log server or media device. (10.5.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Are logs for external-facing technologies (for example, wireless, firewalls, DNS, mail) written onto a secure, centralized, internal log server or media? (10.5.4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Are logs for external-facing technologies (for example, wireless, firewalls, DNS, mail) written onto a secure, centralized, internal log server or media? (10.5.4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Are logs for external-facing technologies (for example, wireless, firewalls, DNS, mail) written onto a secure, centralized, internal log server or media? (10.5.4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are logs for external-facing technologies (for example, wireless, firewalls, DNS, mail) written onto a secure, centralized, internal log server or media? (10.5.4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are logs for external-facing technologies (for example, wireless, firewalls, DNS, mail) written onto a secure, centralized, internal log server or media? (10.5.4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are logs for external-facing technologies (for example, wireless, firewalls, DNS, mail) written onto a secure, centralized, internal log server or media? (10.5.4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Logs for external-facing technologies (for example, wireless, firewalls, DNS, mail) are written onto a secure, centralized, internal log server or media. (10.5.4, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Are logs for external-facing technologies (for example, wireless, firewalls, DNS, mail) written onto a secure, centralized, internal log server or media? (PCI DSS Question 10.5.4, PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Are logs for external-facing technologies (for example, wireless, firewalls, DNS, mail) written onto a secure, centralized, internal log server or media? (PCI DSS Question 10.5.4, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are logs for external-facing technologies (for example, wireless, firewalls, DNS, mail) written onto a secure, centralized, internal log server or media? (PCI DSS Question 10.5.4, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Network devices should be configured to copy control information (e.g., event logs and tables) to authorized portable storage media. (CF.09.01.04c, The Standard of Good Practice for Information Security)
  • The Digital Rights Management system should protect information in each Digital Rights Management object by maintaining usage logs centrally for analysis (e.g., on a dedicated server). (CF.08.08.07g, The Standard of Good Practice for Information Security)
  • Network devices should be configured to copy control information (e.g., event logs and tables) to authorized portable storage media. (CF.09.01.04c, The Standard of Good Practice for Information Security, 2013)
  • The Digital Rights Management system should protect information in each Digital Rights Management object by maintaining usage logs centrally for analysis (e.g., on a dedicated server). (CF.08.08.07g, The Standard of Good Practice for Information Security, 2013)
  • Verify that logs are securely transmitted to a preferably remote system for analysis, detection, alerting, and escalation. (1.7.2, Application Security Verification Standard 4.0.3, 4.0.3)
  • Logs should be sent to a duplicate log server, when possible. (Action 1.8.5, SANS Computer Security Incident Handling, Version 2.3.1)
  • The organization should verify that logs are written to dedicated logging servers that are running on hosts that are separate from the hosts generating the logs or to write-only devices. (Critical Control 14.9, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Ensure that appropriate logs are being aggregated to a central log management system for analysis and review. (CIS Control 6: Sub-Control 6.5 Central Log Management, CIS Controls, 7.1)
  • Ensure that appropriate logs are being aggregated to a central log management system for analysis and review. (CIS Control 6: Sub-Control 6.5 Central Log Management, CIS Controls, V7)
  • The information system provides centralized management and configuration of the content to be captured in audit records generated by [Assignment: organization-defined information system components]. (AU-3(2) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information. (M1029 Remote Data Storage, MITRE ATT&CK®, Enterprise Mitigations, Version 13.1)
  • On UNIX computers or Linux computers that transmit scoped data, are the audit logs stored on alternate systems? (§ G.16.11, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On UNIX computers or Linux computers that process scoped data, are audit logs stored on alternate systems? (§ G.16.11, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On UNIX computers or Linux computers that store scoped data, are audit logs stored on alternate systems? (§ G.16.11, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On windows systems that transmit scoped data, are audit logs stored on alternate systems? (§ G.17.8, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On windows systems that process scoped data, are audit logs stored on alternate systems? (§ G.17.8, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On windows systems that store scoped data, are audit logs stored on alternate systems? (§ G.17.8, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • For cloud computing services that use a hypervisor to transmit, process, or store scoped data, are audit logs stored on alternate systems? (§ V.1.72.9, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • The criminal justice information services systems agency or state identification bureau shall send each individual intrusion detection log to a central logging facility. (§ 5.10.1.3 ¶ 2(2), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Audit logs for virtual machines shall be stored outside the hosts' virtual environment. (§ 5.10.3.2 ¶ 1(2), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Maintain audit logs for all virtual machines and hosts and store the logs outside the hosts' virtual environment. (§ 5.10.3.2 ¶ 1(2), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Maintain audit logs for all virtual machines and hosts and store the logs outside the hosts' virtual environment. (§ 5.10.3.2 ¶ 1 2., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Send individual intrusion detection logs to a central logging facility where correlation and analysis will be accomplished as a system wide intrusion detection effort. (§ 5.10.1.3 ¶ 3 4., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • The information system provides centralized management and configuration of the content to be captured in audit records generated by [FedRAMP Assignment: all network, data storage, and computing devices]. (AU-3(2) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Employ [Assignment: organization-defined methods] for coordinating [Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries. (AU-16 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Employ [Assignment: organization-defined methods] for coordinating [Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries. (AU-16 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Event data from access points and authentication servers should be sent to a secure audit server in real time to ensure captured data is protected. (Table 8-2 Item 17, Table 8-4 Item 40, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST SP 800-97, February 2007)
  • Organizations should develop policies that clearly define mandatory requirements and suggested recommendations for which types of hosts must or should transfer logs to a log management infrastructure. (§ 4.2 Bullet 2, Guide to Computer Security Log Management, NIST SP 800-92)
  • The information system provides centralized management and configuration of the content to be captured in audit records generated by [Assignment: organization-defined information system components]. (AU-3(2) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The information system off-loads audit records [Assignment: organization-defined frequency] onto a different system or media than the system being audited. (AU-4(1) ¶ 1 Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The information system off-loads audit records [Assignment: organization-defined frequency] onto a different system or media than the system being audited. (AU-4(1) ¶ 1 Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The information system off-loads audit records [Assignment: organization-defined frequency] onto a different system or media than the system being audited. (AU-4(1) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The smart grid Information System should provide the capability to centrally manage the audit records that are generated by individual componens. (SG.AU-3 Additional Considerations A2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The information system provides centralized management and configuration of the content to be captured in audit records generated by {organizationally documented information system components}. (AU-3(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system off-loads audit records {organizationally documented frequency} onto a different system or media than the system being audited. (AU-4(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization employs {organizationally documented methods} for coordinating {organizationally documented audit information} among external organizations when audit information is transmitted across organizational boundaries. (AU-16 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system provides centralized management and configuration of the content to be captured in audit records generated by {organizationally documented information system components}. (AU-3(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system provides centralized management and configuration of the content to be captured in audit records generated by [Assignment: organization-defined information system components]. (AU-3(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization employs [Assignment: organization-defined methods] for coordinating [Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries. (AU-16 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The information system provides centralized management and configuration of the content to be captured in audit records generated by [Assignment: organization-defined information system components]. (AU-3(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The information system off-loads audit records [Assignment: organization-defined frequency] onto a different system or media than the system being audited. (AU-4(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Store audit information on a component running a different operating system than the system or component being audited. (AU-9(7) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Employ [Assignment: organization-defined methods] for coordinating [Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries. (AU-16 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Transfer audit logs [Assignment: organization-defined frequency] to a different system, system component, or media other than the system or system component conducting the logging. (AU-4(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Store audit information on a component running a different operating system than the system or component being audited. (AU-9(7) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Employ [Assignment: organization-defined methods] for coordinating [Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries. (AU-16 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Transfer audit logs [Assignment: organization-defined frequency] to a different system, system component, or media other than the system or system component conducting the logging. (AU-4(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The organization employs [Assignment: organization-defined methods] for coordinating [Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries. (AU-16 Control:, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)