Analyse event logs from non-internet-facing servers for cyber threats
Regularly check server logs not exposed to the internet for signs of hacking.
Plain language
This control is about regularly checking the logs of servers that aren't connected to the internet to spot any signs of hacking or cyber threats. It's important because even though these servers are not directly exposed to online threats, they could still be at risk from insiders or malware that sneaks in through other means. If we don’t study these logs, a cyber attack might go unnoticed until it’s too late.
Framework
ASD Essential Eight
Control effect
Detective
E8 mitigation strategy
Application hardening
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 May 2026
E8 maturity levels
ML3
Official control statement
Event logs from non-internet-facing servers are analysed in a timely manner to detect cyber security events.
Why it matters
Failure to analyse event logs on non-internet-facing servers can allow internal compromise to persist unnoticed, causing data loss and disruption.
Operational notes
Centralise non-internet-facing server logs in a SIEM, alert on anomalies, and review alerts daily (not weekly) to detect threats promptly.
Implementation tips
- The IT team should schedule regular log analysis tasks. They can do this by setting a weekly reminder to check logs for unusual activity using existing monitoring tools.
- A security officer should identify key indicators of compromise. They can do this by consulting cybersecurity resources and guidelines to understand what suspicious patterns to look for in the logs.
- System administrators should ensure logs are stored safely. They should configure systems to store logs in a secure, centralised server where they can't be easily tampered with.
- The IT team should implement automated alerts for anomalies. They can set up rules in their log management system to trigger alerts when specific suspicious activities are detected.
- The security officer should review log analysis procedures regularly. This can be done by scheduling quarterly meetings to review and update log analysis practices based on the latest security threats.
Audit / evidence tips
- AskHow are event logs from non-internet-facing servers reviewed for signs of cyber threats?
- GoodThe procedures/documents show frequent log analysis activities with assigned personnel and defined review schedules
- AskWhat indicators do you watch for in the server logs?
- GoodDocuments list clear indicators like multiple failed login attempts or unexpected software installations
Cross-framework mappings
How E8-AH-ML3.4 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.15 | E8-AH-ML3.4 requires organisations to analyse event logs from non-internet-facing servers in a timely manner to detect cyber security events | |
| Annex A 8.16 | E8-AH-ML3.4 requires timely analysis of event logs from non-internet-facing servers to detect cyber security events | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-1228 | E8-AH-ML3.4 requires timely analysis of event logs specifically from non-internet-facing servers to detect cyber security events | |
| sync_alt Partially overlaps (1) expand_less | ||
| ISM-1986 | E8-AH-ML3.4 requires event logs from non-internet-facing servers to be analysed in a timely manner to detect cyber security events | |
| handshake Supports (1) expand_less | ||
| ISM-0988 | E8-AH-ML3.4 requires organisations to analyse event logs from non-internet-facing servers in a timely manner to detect cyber security events | |
| extension Depends on (2) expand_less | ||
| ISM-0120 | E8-AH-ML3.4 requires timely analysis of event logs from non-internet-facing servers to detect cyber security events | |
| ISM-1979 | E8-AH-ML3.4 requires event logs from non-internet-facing servers to be analysed in a timely manner to detect cyber security events | |
| link Related (1) expand_less | ||
| ISM-1907 | E8-AH-ML3.4 requires event logs from non-internet-facing servers to be analysed in a timely manner to detect cyber security events | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.