Event logs are analysed promptly for security events
Quickly check logs from servers open to the internet for security issues.
Plain language
This control is about keeping an eye on the log files from computers or servers that are open to the internet. It's important because if something suspicious or harmful happens, like someone trying to break into your system, you want to know about it quickly so you can stop it.
Framework
ASD Essential Eight
Control effect
Detective
E8 mitigation strategy
Restrict administrative privileges
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2
Official control statement
Event logs from internet-facing servers are analysed in a timely manner to detect cyber security events.
Why it matters
Neglecting prompt log analysis on internet-facing servers increases the risk of undetected breaches, escalating potential damage and operational disruption.
Operational notes
Enable automated alerting on internet-facing server logs and triage alerts within 24 hours; investigate suspicious entries and document findings and actions taken.
Implementation tips
- The IT team should ensure that logging is enabled on all internet-facing servers by configuring the server settings to automatically record all activity.
- A security officer should set up a schedule for regular log analysis, using automated tools that highlight unusual activity so that logs are checked daily.
- The system administrator needs to choose a tool that can send alerts when certain types of suspicious activity are detected in the logs, ensuring timely responses.
- The IT team should train staff on what to look for in logs, such as failed access attempts, to help promptly identify potential security events.
- The security officer should work with management to create a protocol for responding to identified security events, ensuring everyone knows their role in preventing incidents.
Audit / evidence tips
-
AskHow often are the logs from internet-facing servers analysed?
GoodLogs are reviewed daily with automated alerts for suspicious activity
-
AskWhat tools are in place to help with log analysis?
GoodLog monitoring software is in use and configured to alert for anomalies
-
AskWhat steps are taken when a security event is detected?
GoodThere is a documented protocol involving immediate investigation and escalation to appropriate personnel
Cross-framework mappings
How E8-RA-ML2.9 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.15 | E8-RA-ML2.9 requires timely analysis of event logs from internet-facing servers to detect cyber security events | |
| Annex A 8.16 | E8-RA-ML2.9 focuses on promptly analysing internet-facing server event logs to detect cyber security events | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-1228 | E8-RA-ML2.9 requires event logs from internet-facing servers to be analysed in a timely manner to detect cyber security events | |
| sync_alt Partially overlaps (6) expand_less | ||
| ISM-1607 | ISM-1607 requires integrity monitoring and centralised event logging for shared server hardware using software isolation | |
| ISM-1907 | E8-RA-ML2.9 requires event logs from internet-facing servers to be analysed promptly to detect cyber security events | |
| ISM-1960 | E8-RA-ML2.9 requires timely analysis of event logs from internet-facing servers to detect cyber security events | |
| ISM-1961 | E8-RA-ML2.9 requires timely analysis of event logs from internet-facing servers to detect cyber security events | |
| ISM-1986 | E8-RA-ML2.9 requires prompt analysis of internet-facing server logs to detect cyber security events | |
| ISM-1987 | E8-RA-ML2.9 requires prompt analysis of internet-facing server logs to detect cyber security events | |
| handshake Supports (4) expand_less | ||
| ISM-0120 | ISM-0120 requires providing cyber security personnel with tools and data sources to monitor for indicators of compromise | |
| ISM-0580 | ISM-0580 requires an organisation to develop, implement and maintain an event logging policy to ensure events are recorded and monitored | |
| ISM-1526 | ISM-1526 requires continuous security monitoring and ongoing management of threats, risks and controls for each system within set boundar... | |
| ISM-1978 | ISM-1978 requires security-relevant events for server applications on internet-facing servers to be centrally logged | |
| link Related (1) expand_less | ||
| ISM-1906 | E8-RA-ML2.9 requires event logs from internet-facing servers to be analysed in a timely manner to detect cyber security events | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.