Event logs are analysed promptly for security events
Quickly check logs from servers open to the internet for security issues.
🏛️ Framework
ASD Essential Eight
🧭 Control effect
Detective
🛠️ E8 mitigation strategy
Restrict administrative privileges
🔐 Classifications
N/A
🗓️ Official last update
N/A
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
ML2
Event logs from internet-facing servers are analysed in a timely manner to detect cyber security events.
Source: ASD Essential Eight
Plain language
This control is about keeping an eye on the log files from computers or servers that are open to the internet. It's important because if something suspicious or harmful happens, like someone trying to break into your system, you want to know about it quickly so you can stop it.
Why it matters
Neglecting prompt log analysis on internet-facing servers increases the risk of undetected breaches, escalating potential damage and operational disruption.
Operational notes
Enable automated alerting on internet-facing server logs and triage alerts within 24 hours; investigate suspicious entries and document findings and actions taken.
Implementation tips
- The IT team should ensure that logging is enabled on all internet-facing servers by configuring the server settings to automatically record all activity.
- A security officer should set up a schedule for regular log analysis, using automated tools that highlight unusual activity so that logs are checked daily.
- The system administrator needs to choose a tool that can send alerts when certain types of suspicious activity are detected in the logs, ensuring timely responses.
- The IT team should train staff on what to look for in logs, such as failed access attempts, to help promptly identify potential security events.
- The security officer should work with management to create a protocol for responding to identified security events, ensuring everyone knows their role in preventing incidents.
Audit / evidence tips
-
Ask: How often are the logs from internet-facing servers analysed?
Good: Logs are reviewed daily with automated alerts for suspicious activity
-
Ask: What tools are in place to help with log analysis?
Good: Log monitoring software is in use and configured to alert for anomalies
-
Ask: What steps are taken when a security event is detected?
Good: There is a documented protocol involving immediate investigation and escalation to appropriate personnel
Cross-framework mappings
How E8-RA-ML2.9 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (6) | ||
| ISM-1607 | ISM-1607 requires integrity monitoring and centralised event logging for shared server hardware using software isolation | |
| ISM-1907 | E8-RA-ML2.9 requires event logs from internet-facing servers to be analysed promptly to detect cyber security events | |
| ISM-1960 | ISM-1960 and E8-RA-ML2.9 both require prompt log review for detection | |
| ISM-1961 | E8-RA-ML2.9 requires timely analysis of event logs from internet-facing servers to detect cyber security events | |
| ISM-1986 | E8-RA-ML2.9 requires prompt analysis of internet-facing server logs to detect cyber security events | |
| ISM-1987 | E8-RA-ML2.9 requires prompt analysis of internet-facing server logs to detect cyber security events | |
| Supports (3) | ||
| ISM-0120 | ISM-0120 requires providing cyber security personnel with tools and data sources to monitor for indicators of compromise | |
| ISM-0580 | ISM-0580 requires an organisation to develop, implement and maintain an event logging policy to ensure events are recorded and monitored | |
| ISM-1978 | ISM-1978 requires security-relevant events for server applications on internet-facing servers to be centrally logged | |
| Related (1) | ||
| ISM-1906 | E8-RA-ML2.9 requires event logs from internet-facing servers to be analysed in a timely manner to detect cyber security events | |