Analyse event logs from non-internet-facing servers timely to detect security events
Regularly check event logs from internal servers to catch security issues quickly.
Plain language
Analysing event logs from internal servers regularly helps us catch signs of cyberattacks early. Without this practice, we might miss warning signs of someone trying to break into our systems, which could lead to data breaches and other serious security issues.
Framework
ASD Essential Eight
Control effect
Detective
E8 mitigation strategy
Multi-factor authentication
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Official control statement
Event logs from non-internet-facing servers are analysed in a timely manner to detect cyber security events.
Why it matters
If logs on non-internet-facing servers aren’t reviewed promptly, lateral movement and credential misuse may be missed, delaying detection of internal breaches.
Operational notes
Define review cadence and alerts for non-internet-facing server logs; centralise to SIEM, tune rules, and investigate anomalies within agreed timeframes.
Implementation tips
- IT team should ensure logging is enabled on all non-internet-facing servers to capture security-related events correctly by configuring the servers' logging settings.
- System administrators should collect logs from these servers daily and store them in a secure location, using automated scripts or log management tools to gather and centralise the information.
- Security officers need to review and analyse the collected logs on a regular basis by using log analysis software to identify any unusual activities or patterns that might indicate a security incident.
- The security team should establish a procedure for handling and escalating any suspicious events detected in the logs by setting up alerts or notifications so that appropriate actions are taken swiftly.
Audit / evidence tips
-
AskHow often are the event logs from non-internet-facing servers reviewed?
-
GoodThe logs are reviewed every 24 hours according to our documented policy, which aligns with best practices
-
AskWhat tools are used for log analysis?
-
GoodWe use an automated log analysis tool that provides alerts for potential security events, and it is verified to be functioning correctly
Cross-framework mappings
How E8-MF-ML3.4 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.15 | E8-MF-ML3.4 requires timely analysis of event logs from non-internet-facing servers to detect cyber security events | |
| Annex A 8.16 | E8-MF-ML3.4 requires timely analysis of event logs from non-internet-facing servers to detect cyber security events | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-1228 | E8-MF-ML3.4 requires timely analysis of event logs from non-internet-facing servers to detect cyber security events | |
| sync_alt Partially overlaps (4) expand_less | ||
| ISM-1906 | E8-MF-ML3.4 requires timely analysis of event logs from non-internet-facing servers to detect cyber security events | |
| ISM-1961 | E8-MF-ML3.4 requires event logs from non-internet-facing servers to be analysed in a timely manner to detect cyber security events | |
| ISM-1986 | E8-MF-ML3.4 requires timely analysis of event logs from non-internet-facing servers to detect cyber security events | |
| ISM-1987 | E8-MF-ML3.4 requires event logs from non-internet-facing servers to be analysed in a timely manner to detect cyber security events | |
| handshake Supports (1) expand_less | ||
| ISM-1979 | ISM-1979 requires central logging of security-relevant events for server applications on non-internet-facing servers | |
| extension Depends on (3) expand_less | ||
| ISM-0120 | E8-MF-ML3.4 requires timely analysis of event logs from non-internet-facing servers to detect cyber security events | |
| ISM-1830 | E8-MF-ML3.4 requires timely analysis of event logs from non-internet-facing servers to detect cyber security events | |
| ISM-1911 | E8-MF-ML3.4 requires timely analysis of event logs from non-internet-facing servers to detect cyber security events | |
| link Related (1) expand_less | ||
| ISM-1907 | E8-MF-ML3.4 requires event logs from non-internet-facing servers to be analysed in a timely manner to detect cyber security events | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.