Skip to content
arrow_back
E8-AC-ML3.4
search
E8-AC-ML3.4 bolt ASD Essential Eight

Event logs from non-internet-facing servers are analysed

Check server logs regularly to find security issues early.

Detective ML3 Essential EightApplication controlloggingincident detection
record_voice_over

Plain language

Regularly checking the logs from servers that don't face the internet helps catch security problems early. It's like balancing your bank account – it ensures there are no unexpected surprises or threats lurking in your business systems.

Framework

ASD Essential Eight

Control effect

Detective

E8 mitigation strategy

Application control

Classifications

N/A

Official last update

N/A

Control Stack last updated

19 Mar 2026

E8 maturity levels

ML3

Official control statement

Event logs from non-internet-facing servers are analysed in a timely manner to detect cyber security events.
bolt ASD Essential Eight E8-AC-ML3.4
priority_high

Why it matters

Without timely analysis of event logs from non-internet-facing servers, lateral movement and insider activity may go undetected, delaying containment and increasing data loss.

settings

Operational notes

Centralise and review event logs from non-internet-facing servers daily; baseline normal admin/activity patterns and alert on failed logons, privilege changes and suspicious process/service creation.

build

Implementation tips

  • System administrator should schedule regular log analysis for non-internet-facing servers, perhaps weekly, to hunt for any unusual activity.
  • IT team should configure monitoring tools to flag suspicious activities in server logs automatically, allowing quick identification and action on potential threats.
  • Security officer should train staff on what to look for in server logs that might indicate a cybersecurity issue, ensuring a knowledgeable review process.
  • System administrator should ensure logs are stored correctly and securely so they can't be altered or deleted by unauthorised individuals.
  • IT team should use specific software to systematically parse and visualise log data so that trends and anomalies are easily identifiable.
fact_check

Audit / evidence tips

  • AskHow often are the event logs from non-internet-facing servers analysed?

  • GoodLogs are reviewed weekly as per the documented policy, with records or reports showing regular log analysis sessions

  • AskWhat methods are used to analyse these logs for cybersecurity threats?

  • GoodWe use [specific tool] to automatically flag anomalies, and staff have received training on this process

link

Cross-framework mappings

How E8-AC-ML3.4 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

ISO 27001

Control Notes Details
layers Partially meets (2) expand_less
Annex A 8.15 E8-AC-ML3.4 requires timely analysis of event logs specifically from non-internet-facing servers to detect cyber security events
Annex A 8.16 E8-AC-ML3.4 requires timely analysis of event logs from non-internet-facing servers to detect cyber security events

ASD ISM

Control Notes Details
layers Partially meets (1) expand_less
ISM-1228 E8-AC-ML3.4 requires timely analysis of non-internet-facing server event logs to detect cyber security events
sync_alt Partially overlaps (4) expand_less
ISM-1906 E8-AC-ML3.4 requires event logs from non-internet-facing servers to be analysed in a timely manner to detect cyber security events
ISM-1960 E8-AC-ML3.4 requires timely analysis of event logs from non-internet-facing servers for cyber security event detection
ISM-1961 E8-AC-ML3.4 requires timely analysis of event logs from non-internet-facing servers to detect cyber security events
ISM-1986 E8-AC-ML3.4 requires event logs from non-internet-facing servers to be analysed in a timely manner to detect cyber security events
extension Depends on (4) expand_less
ISM-0580 E8-AC-ML3.4 requires timely analysis of event logs from non-internet-facing servers to detect cyber security events
ISM-1830 E8-AC-ML3.4 requires organisations to analyse event logs from non-internet-facing servers in a timely manner to detect cyber security events
ISM-1911 E8-AC-ML3.4 requires organisations to analyse event logs from non-internet-facing servers in a timely manner to detect cyber security events
ISM-2051 E8-AC-ML3.4 requires timely analysis of event logs from non-internet-facing servers to detect cyber security events
link Related (1) expand_less
ISM-1907 E8-AC-ML3.4 requires event logs from non-internet-facing servers to be analysed in a timely manner to detect cyber security events

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

Mapping detail

Mapping

Direction

Controls