AuditRubric
pr-ps-4 high Protect / Platform Security

Log records are generated and made available for continuous monitoring

Logs are how you know what happened. Without comprehensive logging, incident investigation is guesswork: you cannot determine the timeline of an attack, identify compromised accounts, or trace data exfiltration. Enabling the right logs and shipping them to a central location before an incident is the prerequisite for every detection and investigation capability that follows.

Estimated effort: 4h
loggingaudit-logssiemlog-managementmonitoring

Implementation steps

  1. 1

    Define which events must be logged

    Determine the minimum log set required for security monitoring and incident investigation: authentication events (success and failure), privilege escalation, account creation and deletion, file access for sensitive data, network connection events, and changes to security configuration. Start with what your compliance framework requires and add what your incident response team needs.

  2. 2

    Enable logging on all critical systems and ship logs centrally

    Enable logging for the required event types on all critical systems: servers, cloud infrastructure, identity provider, network devices, and SaaS tools with API-accessible logs. Ship all logs to a centralized log management or SIEM platform so they are searchable and protected from tampering. Logs that only exist on the host they monitor can be deleted by an attacker who compromises that host.

    datadogsplunkelasticaws-cloudtrailazure-monitorgoogle-cloud-logging
  3. 3

    Set and enforce log retention periods

    Define how long logs must be retained: typically 90 days hot (searchable) and 12 months archived (cold storage). Configure retention policies in your log management platform. Verify that logs are not being dropped due to volume limits or rate throttling. Alert on gaps in log ingestion from critical sources.

    datadogsplunkelasticaws-s3cloudflare-logpush

Evidence required

Log coverage inventory

A record of which systems are logging, what event types are captured, and where logs are sent.

  • · Logging configuration documentation listing sources and event types
  • · SIEM source list showing all systems with active log ingestion
  • · Cloud provider logging configuration screenshot (e.g., CloudTrail enabled across all regions)

Log retention configuration

Evidence that logs are retained for the required period in a centralized, tamper-resistant location.

  • · Log management platform retention settings screenshot
  • · S3 lifecycle policy for log archive retention
  • · Log retention policy document with defined retention periods by log type

Related controls

de-cm-1 high

Networks and network services are monitored to detect adverse events

Continuous Monitoring
de-cm-9 critical

Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events

Continuous Monitoring
pr-ps-1 high

The hardware and firmware of platforms are managed

Platform Security
pr-ps-2 critical

The software of platforms is managed, including operating systems and applications

Platform Security