Skip to content
arrow_back
E8-AH-ML2.14
search
E8-AH-ML2.14 bolt ASD Essential Eight

Timely Analysis of Event Logs from Internet-Facing Servers

Regularly review event logs from internet-facing servers to spot security issues quickly.

Detective ML2 Essential EightUser application hardeningloggingincident detection
record_voice_over

Plain language

This control is about looking at the logs from your servers that face the internet, like a shop window facing the street. Regularly checking these logs helps you spot dodgy activity early, like someone trying to break in, so you can stop it before any serious damage is done.

Framework

ASD Essential Eight

Control effect

Detective

E8 mitigation strategy

Application hardening

Classifications

N/A

Official last update

N/A

Control Stack last updated

18 May 2026

E8 maturity levels

ML2

Official control statement

Event logs from internet-facing servers are analysed in a timely manner to detect cyber security events.
bolt ASD Essential Eight E8-AH-ML2.14
priority_high

Why it matters

Without timely analysis of event logs from internet-facing servers, intrusions may go unnoticed, enabling persistence, data theft, and disruption.

settings

Operational notes

Review internet-facing server event logs at least daily (within 24 hours) and alert on anomalies such as repeated failures, new admin accounts, or suspicious processes.

build

Implementation tips

  • IT team: Regularly schedule log analysis sessions to review server logs for unusual activity, ensuring this is done daily or weekly, depending on your organisation's size.
  • System administrator: Set up automated alerts to notify the team about suspicious log entries, using configurable thresholds to identify potential threats promptly.
  • Security officer: Develop clear protocols for responding to alerts generated from log reviews, including who to contact and what actions to take.
  • IT team: Use a secure system for storing and accessing logs to prevent tampering, ensuring access is limited to authorised personnel only.
fact_check

Audit / evidence tips

  • AskHow frequently are the logs from internet-facing servers reviewed?
  • GoodLogs are reviewed at least weekly, with automated systems in place to alert on suspicious activity immediately
  • AskWho is responsible for analysing these server logs?
  • GoodThe IT team or designated security officer is clearly responsible for log analysis, with documented procedures
link

Cross-framework mappings

How E8-AH-ML2.14 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control Notes Details
layers Partially meets (2) expand_less
Annex A 8.15 E8-AH-ML2.14 requires timely analysis of event logs from internet-facing servers to detect cyber security events
Annex A 8.16 E8-AH-ML2.14 requires timely analysis of event logs from internet-facing servers to detect cyber security events
sync_alt Partially overlaps (1) expand_less
Annex A 5.28 E8-AH-ML2.14 requires timely analysis of internet-facing server event logs to detect cyber security events
handshake Supports (2) expand_less
Annex A 5.25 E8-AH-ML2.14 requires timely analysis of internet-facing server event logs to detect cyber security events
Annex A 5.26 E8-AH-ML2.14 requires timely analysis of internet-facing server logs to detect cyber security events

ASD ISM

Control Notes Details
layers Partially meets (1) expand_less
ISM-1228 E8-AH-ML2.14 requires timely analysis of event logs from internet-facing servers to detect cyber security events
sync_alt Partially overlaps (6) expand_less
ISM-1907 E8-AH-ML2.14 requires event logs from internet-facing servers to be analysed in a timely manner to detect cyber security events
ISM-1960 E8-AH-ML2.14 requires timely analysis of event logs from internet-facing servers to detect cyber security events
ISM-1961 ISM-1961 requires timely analysis of event logs from non-internet-facing network devices to detect cyber security events
ISM-1963 E8-AH-ML2.14 requires timely analysis of event logs from internet-facing servers to detect cyber security events
ISM-1986 E8-AH-ML2.14 requires timely analysis of event logs from internet-facing servers to detect cyber security events
ISM-1987 E8-AH-ML2.14 requires timely analysis of event logs from internet-facing servers to detect cyber security events
handshake Supports (2) expand_less
ISM-0580 ISM-0580 requires an organisation to develop, implement and maintain an event logging policy to ensure events are recorded and monitored
ISM-1624 ISM-1624 requires PowerShell script block logs to be protected using Protected Event Logging functionality
extension Depends on (3) expand_less
ISM-1978 E8-AH-ML2.14 requires timely analysis of event logs from internet-facing servers to detect cyber security events
ISM-1983 E8-AH-ML2.14 requires timely analysis of event logs from internet-facing servers to detect cyber security events
ISM-2051 E8-AH-ML2.14 requires timely analysis of event logs from internet-facing servers to detect cyber security events
link Related (1) expand_less
ISM-1906 E8-AH-ML2.14 requires event logs from internet-facing servers to be analysed in a timely manner to detect cyber security events

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

Mapping detail

Mapping

Direction

Controls