Protect event logs from unauthorized changes or deletion
Ensure event logs cannot be tampered with or erased without permission.
Plain language
This control is about making sure that important computer records, known as event logs, can’t be changed or erased without the right permissions. Without this protection, someone with bad intentions could hide their tracks after doing something harmful to a computer system.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Application hardening
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2
Official control statement
Event logs are protected from unauthorized modification and deletion.
Why it matters
If event logs can be altered or deleted without detection, attackers can hide malicious activity, undermining forensic investigations and accountability for incidents.
Operational notes
Store logs on WORM or immutable storage and restrict log admin access; enable auditing/alerting on log changes to prevent unauthorised modification or deletion.
Implementation tips
- System administrators should ensure event logs are stored in a secure location. This can be done by configuring the system to save logs on a separate, protected server.
- The IT security team should set up access controls on the event log files. They can do this by restricting permissions so that only authorised personnel can make changes.
- System administrators should regularly back up event logs. Use automated backup tools to schedule and store backups safely.
- Security officers should implement log monitoring. Set up alerts for any changes to the logs, which can be achieved through monitoring software.
- The IT team should enable 'audit log integrity' features when available. This will add an extra layer of protection by ensuring log files are not tampered with.
Audit / evidence tips
-
AskHow do you ensure the event logs are protected from unauthorised changes?
-
GoodAccess controls are in place, limiting changes to authorised personnel only
-
AskHow do you make sure that event logs are regularly backed up?
-
GoodAutomated backups are set up to occur nightly, stored securely
Cross-framework mappings
How E8-AH-ML2.13 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.33 | E8-AH-ML2.13 requires event logs to be protected from unauthorised modification and deletion to preserve their integrity for detection an... | |
| Annex A 8.15 | E8-AH-ML2.13 requires event logs to be protected from unauthorised modification and deletion | |
| handshake Supports (1) expand_less | ||
| Annex A 5.28 | E8-AH-ML2.13 requires event logs to be protected from unauthorised modification and deletion so they remain trustworthy | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| ISM-1624 | ISM-1624 requires PowerShell script block logs to be protected using Protected Event Logging functionality | |
| ISM-1985 | E8-AH-ML2.13 requires event logs to be protected from unauthorised modification and deletion | |
| sync_alt Partially overlaps (1) expand_less | ||
| ISM-0582 | ISM-0582 requires central logging of security-relevant events for Windows | |
| handshake Supports (3) expand_less | ||
| ISM-0138 | E8-AH-ML2.13 requires protecting event logs from unauthorised modification and deletion, helping ensure logs can be relied on during inci... | |
| ISM-1910 | ISM-1910 requires centrally logging internet-accessible network API calls that modify data or access non-public data | |
| ISM-1989 | ISM-1989 requires event logs to be retained for minimum periods as set out in AFDA Express | |
| extension Depends on (2) expand_less | ||
| ISM-0120 | ISM-0120 requires cyber security personnel to have access to sufficient data sources and tools for monitoring indicators of compromise | |
| ISM-1509 | ISM-1509 requires privileged access events to be centrally logged so they can be monitored and relied upon during investigations | |
| link Related (1) expand_less | ||
| ISM-1815 | E8-AH-ML2.13 requires event logs to be protected from unauthorised modification and deletion to prevent tampering | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.