Event logs from non-internet-facing servers are analysed
Check server logs regularly to find security issues early.
Plain language
Regularly checking the logs from servers that don't face the internet helps catch security problems early. It's like balancing your bank account – it ensures there are no unexpected surprises or threats lurking in your business systems.
Framework
ASD Essential Eight
Control effect
Detective
E8 mitigation strategy
Application control
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Official control statement
Event logs from non-internet-facing servers are analysed in a timely manner to detect cyber security events.
Why it matters
Without timely analysis of event logs from non-internet-facing servers, lateral movement and insider activity may go undetected, delaying containment and increasing data loss.
Operational notes
Centralise and review event logs from non-internet-facing servers daily; baseline normal admin/activity patterns and alert on failed logons, privilege changes and suspicious process/service creation.
Implementation tips
- System administrator should schedule regular log analysis for non-internet-facing servers, perhaps weekly, to hunt for any unusual activity.
- IT team should configure monitoring tools to flag suspicious activities in server logs automatically, allowing quick identification and action on potential threats.
- Security officer should train staff on what to look for in server logs that might indicate a cybersecurity issue, ensuring a knowledgeable review process.
- System administrator should ensure logs are stored correctly and securely so they can't be altered or deleted by unauthorised individuals.
- IT team should use specific software to systematically parse and visualise log data so that trends and anomalies are easily identifiable.
Audit / evidence tips
-
AskHow often are the event logs from non-internet-facing servers analysed?
-
GoodLogs are reviewed weekly as per the documented policy, with records or reports showing regular log analysis sessions
-
AskWhat methods are used to analyse these logs for cybersecurity threats?
-
GoodWe use [specific tool] to automatically flag anomalies, and staff have received training on this process
Cross-framework mappings
How E8-AC-ML3.4 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.15 | E8-AC-ML3.4 requires timely analysis of event logs specifically from non-internet-facing servers to detect cyber security events | |
| Annex A 8.16 | E8-AC-ML3.4 requires timely analysis of event logs from non-internet-facing servers to detect cyber security events | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-1228 | E8-AC-ML3.4 requires timely analysis of non-internet-facing server event logs to detect cyber security events | |
| sync_alt Partially overlaps (4) expand_less | ||
| ISM-1906 | E8-AC-ML3.4 requires event logs from non-internet-facing servers to be analysed in a timely manner to detect cyber security events | |
| ISM-1960 | E8-AC-ML3.4 requires timely analysis of event logs from non-internet-facing servers for cyber security event detection | |
| ISM-1961 | E8-AC-ML3.4 requires timely analysis of event logs from non-internet-facing servers to detect cyber security events | |
| ISM-1986 | E8-AC-ML3.4 requires event logs from non-internet-facing servers to be analysed in a timely manner to detect cyber security events | |
| extension Depends on (4) expand_less | ||
| ISM-0580 | E8-AC-ML3.4 requires timely analysis of event logs from non-internet-facing servers to detect cyber security events | |
| ISM-1830 | E8-AC-ML3.4 requires organisations to analyse event logs from non-internet-facing servers in a timely manner to detect cyber security events | |
| ISM-1911 | E8-AC-ML3.4 requires organisations to analyse event logs from non-internet-facing servers in a timely manner to detect cyber security events | |
| ISM-2051 | E8-AC-ML3.4 requires timely analysis of event logs from non-internet-facing servers to detect cyber security events | |
| link Related (1) expand_less | ||
| ISM-1907 | E8-AC-ML3.4 requires event logs from non-internet-facing servers to be analysed in a timely manner to detect cyber security events | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.