Analyze event logs from non-internet-facing servers for cyber threats
Regularly check server logs not exposed to the internet for signs of hacking.
🏛️ Framework
ASD Essential Eight
🧭 Control effect
Detective
🛠️ E8 mitigation strategy
Application hardening
🔐 Classifications
N/A
🗓️ Official last update
N/A
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
ML3
Event logs from non-internet-facing servers are analyzed in a timely manner to detect cyber security events.
Source: ASD Essential Eight
Plain language
This control is about regularly checking the logs of servers that aren't connected to the internet to spot any signs of hacking or cyber threats. It's important because even though these servers are not directly exposed to online threats, they could still be at risk from insiders or malware that sneaks in through other means. If we don’t study these logs, a cyber attack might go unnoticed until it’s too late.
Why it matters
Failure to analyse event logs on non-internet-facing servers can allow internal compromise to persist unnoticed, causing data loss and disruption.
Operational notes
Centralise non-internet-facing server logs in a SIEM, alert on anomalies, and review alerts daily (not weekly) to detect threats promptly.
Implementation tips
- The IT team should schedule regular log analysis tasks. They can do this by setting a weekly reminder to check logs for unusual activity using existing monitoring tools.
- A security officer should identify key indicators of compromise. They can do this by consulting cybersecurity resources and guidelines to understand what suspicious patterns to look for in the logs.
- System administrators should ensure logs are stored safely. They should configure systems to store logs in a secure, centralised server where they can't be easily tampered with.
- The IT team should implement automated alerts for anomalies. They can set up rules in their log management system to trigger alerts when specific suspicious activities are detected.
- The security officer should review log analysis procedures regularly. This can be done by scheduling quarterly meetings to review and update log analysis practices based on the latest security threats.
Audit / evidence tips
-
Ask: How are event logs from non-internet-facing servers reviewed for signs of cyber threats?
-
Good: The procedures/documents show frequent log analysis activities with assigned personnel and defined review schedules
-
Ask: What indicators do you watch for in the server logs?
-
Good: Documents list clear indicators like multiple failed login attempts or unexpected software installations
Cross-framework mappings
How E8-AH-ML3.4 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (2) | ||
| Annex A 8.15 | E8-AH-ML3.4 requires organisations to analyse event logs from non-internet-facing servers in a timely manner to detect cyber security events | |
| Annex A 8.16 | E8-AH-ML3.4 requires timely analysis of event logs from non-internet-facing servers to detect cyber security events | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| ISM-1228 | E8-AH-ML3.4 requires timely analysis of event logs specifically from non-internet-facing servers to detect cyber security events | |
| Partially overlaps (1) | ||
| ISM-1986 | E8-AH-ML3.4 requires event logs from non-internet-facing servers to be analysed in a timely manner to detect cyber security events | |
| Supports (1) | ||
| ISM-0988 | E8-AH-ML3.4 requires organisations to analyse event logs from non-internet-facing servers in a timely manner to detect cyber security events | |
| Depends on (2) | ||
| ISM-0120 | E8-AH-ML3.4 requires timely analysis of event logs from non-internet-facing servers to detect cyber security events | |
| ISM-1979 | E8-AH-ML3.4 requires event logs from non-internet-facing servers to be analysed in a timely manner to detect cyber security events | |
| Related (1) | ||
| ISM-1907 | E8-AH-ML3.4 requires event logs from non-internet-facing servers to be analysed in a timely manner to detect cyber security events | |