Report a cybercrime, cyber security incident or vulnerability.
Report

What are you looking for?

You can search for keywords to find pages that can help you e.g. scam
First published: 12 Dec 2024
Last updated: 12 Dec 2024

Content written for

Large organisations & infrastructure
Government

Attachments

Event logging and monitoring

Event logging and monitoring activities

These guidelines are intended for security-relevant event logs. They are not intended for non-security-relevant event logs, such as system and application performance-related event logs.

Event logging policy

By developing an event logging policy, taking into consideration any shared responsibilities between service providers and their customers, an organisation can improve their chances of detecting malicious behaviour on their systems. In doing so, an event logging policy should cover details of events to be logged, event logging facilities to be used, how event logs will be monitored and how long to retain event logs.

Control: ISM-0580; Revision: 7; Updated: Dec-22; Applicability: NC, OS, P, S, TS; Essential Eight: N/A
An event logging policy is developed, implemented and maintained.

Centralised event logging facility

A centralised event logging facility can be used to capture, protect and manage event logs from multiple sources in a coordinated manner. This may be achieved by using a Security Information and Event Management solution. Furthermore, in support of a centralised event logging facility, it is important that an accurate and consistent time source is used to assist with identifying connections between events.

Control: ISM-1405; Revision: 4; Updated: Dec-24; Applicability: NC, OS, P, S, TS; Essential Eight: N/A
A centralised event logging facility is implemented.

Control: ISM-1983; Revision: 0; Updated: Dec-24; Applicability: NC, OS, P, S, TS; Essential Eight: N/A
Event logs sent to a centralised event logging facility are done so as soon as possible after they occur.

Control: ISM-1984; Revision: 0; Updated: Dec-24; Applicability: NC, OS, P, S, TS; Essential Eight: N/A
Event logs sent to a centralised event logging facility are encrypted in transit.

Control: ISM-1985; Revision: 0; Updated: Dec-24; Applicability: NC, OS, P, S, TS; Essential Eight: N/A
Event logs are protected from unauthorised access.

Control: ISM-1815; Revision: 1; Updated: Dec-23; Applicability: NC, OS, P, S, TS; Essential Eight: ML2, ML3
Event logs are protected from unauthorised modification and deletion.

Control: ISM-0988; Revision: 7; Updated: Sep-24; Applicability: NC, OS, P, S, TS; Essential Eight: N/A
An accurate and consistent time source is used for event logging.

Event log details

For each event logged, sufficient detail needs to be recorded in order for event logs to be useful. In doing so, event logs should be captured and stored in a consistent and structured format.

Control: ISM-0585; Revision: 6; Updated: Jun-24; Applicability: NC, OS, P, S, TS; Essential Eight: N/A
For each event logged, the date and time of the event, the relevant user or process, the relevant filename, the event description, and the information technology equipment involved are recorded.

Control: ISM-1959; Revision: 0; Updated: Sep-24; Applicability: NC, OS, P, S, TS; Essential Eight: N/A
To the extent possible, event logs are captured and stored in a consistent and structured format.

Event log monitoring

Event log monitoring is critical to maintaining the security posture of systems. Notably, such activities involve analysing event logs in a timely manner to detect cyber security events, thereby, leading to the identification of cyber security incidents.

Control: ISM-1986; Revision: 0; Updated: Dec-24; Applicability: NC, OS, P, S, TS; Essential Eight: N/A
Event logs from critical servers are analysed in a timely manner to detect cyber security events.

Control: ISM-1906; Revision: 0; Updated: Dec-23; Applicability: NC, OS, P, S, TS; Essential Eight: ML2, ML3
Event logs from internet-facing servers are analysed in a timely manner to detect cyber security events.

Control: ISM-1907; Revision: 0; Updated: Dec-23; Applicability: NC, OS, P, S, TS; Essential Eight: ML3
Event logs from non-internet-facing servers are analysed in a timely manner to detect cyber security events.

Control: ISM-0109; Revision: 9; Updated: Dec-23; Applicability: NC, OS, P, S, TS; Essential Eight: ML3
Event logs from workstations are analysed in a timely manner to detect cyber security events.

Control: ISM-1987; Revision: 0; Updated: Dec-24; Applicability: NC, OS, P, S, TS; Essential Eight: N/A
Event logs from security products are analysed in a timely manner to detect cyber security events.

Control: ISM-1960; Revision: 0; Updated: Sep-24; Applicability: NC, OS, P, S, TS; Essential Eight: N/A
Event logs from internet-facing network devices are analysed in a timely manner to detect cyber security events.

Control: ISM-1961; Revision: 0; Updated: Sep-24; Applicability: NC, OS, P, S, TS; Essential Eight: N/A
Event logs from non-internet-facing network devices are analysed in a timely manner to detect cyber security events.

Control: ISM-1228; Revision: 3; Updated: Mar-22; Applicability: NC, OS, P, S, TS; Essential Eight: ML2, ML3
Cyber security events are analysed in a timely manner to identify cyber security incidents.

Event log retention

The retention of event logs is integral to system monitoring, hunt and cyber security incident response activities. As such, event logs should be retained for a suitable period of time to facilitate these activities.

Control: ISM-1988; Revision: 0; Updated: Dec-24; Applicability: NC, OS, P, S, TS; Essential Eight: N/A
Event logs are retained in a searchable manner for at least 12 months.

Control: ISM-1989; Revision: 0; Updated: Dec-24; Applicability: NC, OS, P, S, TS; Essential Eight: N/A
Event logs are retained as per minimum retention requirements for various classes of records as set out by the National Archives of Australia’s Administrative Functions Disposal Authority Express (AFDA Express) Version 2 publication.

Further information

Further information on logging intrusion activity can be found in the managing cyber security incidents section of the Guidelines for Cyber Security Incidents.

Further information on event logging for Cross Domain Solutions can be found in the Cross Domain Solutions section of the Guidelines for Gateways.

Further information on event logging for databases can be found in the databases section of the Guidelines for Database Systems.

Further information on event logging for gateways can be found in the gateways section of the Guidelines for Gateways.

Further information on event logging for multifunction devices can be found in the fax machines and multifunction devices section of the Guidelines for Communications Systems.

Further information on event logging for operating systems can be found in the operating system hardening and authentication hardening sections of the Guidelines for System Hardening.

Further information on event logging for application-based security products can be found in the operating system hardening section of the Guidelines for System Hardening.

Further information on event logging for network-based security products can be found in the network design and configuration section of the Guidelines for Networking.

Further information on event logging for server applications can be found in the server application hardening section of the Guidelines for System Hardening.

Further information on event logging for system access can be found in the access to systems and their resources section of the Guidelines for Personnel Security.

Further information on event logging for user applications can be found in the user application hardening section of the Guidelines for System Hardening.

Further information on event logging for web applications can be found in the web application development section of the Guidelines for Software Development.

Further information on event logging for web proxies can be found in the web proxies section of the Guidelines for Gateways.

Further information on event logging can be found in the following Australian Signals Directorate publications:

Further information on prioritising the collection and storage of event logs can be found in the United States’ Cybersecurity & Infrastructure Security Agency’s Guidance for Implementing M-21-31: Improving the Federal Government's Investigative and Remediation Capabilities publication.

Further information on the National Archives of Australia’s requirements for event log retention can be found in their AFDA Express Version 2 – Technology & Information Management publication.

Was this information helpful?

Thanks for your feedback!

Optional

Tell us why this information was helpful and we’ll work on making more pages like it