E8-RA-ML2.9 bolt ASD Essential Eight

Event logs are analysed promptly for security events

Quickly check logs from servers open to the internet for security issues.

Detective ML2 Essential EightRestrict admin privileges logging security monitoring incident detection

record_voice_over

Plain language

This control is about keeping an eye on the log files from computers or servers that are open to the internet. It's important because if something suspicious or harmful happens, like someone trying to break into your system, you want to know about it quickly so you can stop it.

01 - Overview

Framework

ASD Essential Eight

Control effect

Detective

E8 mitigation strategy

Restrict administrative privileges

Classifications

N/A

Official last update

N/A

Control Stack last updated

19 Mar 2026

E8 maturity levels

ML2

Official control statement

Event logs from internet-facing servers are analysed in a timely manner to detect cyber security events.

bolt ASD Essential Eight E8-RA-ML2.9

priority_high

Why it matters

Neglecting prompt log analysis on internet-facing servers increases the risk of undetected breaches, escalating potential damage and operational disruption.

settings

Operational notes

Enable automated alerting on internet-facing server logs and triage alerts within 24 hours; investigate suspicious entries and document findings and actions taken.

02 - Implement

build

Implementation tips

The IT team should ensure that logging is enabled on all internet-facing servers by configuring the server settings to automatically record all activity.
A security officer should set up a schedule for regular log analysis, using automated tools that highlight unusual activity so that logs are checked daily.
The system administrator needs to choose a tool that can send alerts when certain types of suspicious activity are detected in the logs, ensuring timely responses.
The IT team should train staff on what to look for in logs, such as failed access attempts, to help promptly identify potential security events.
The security officer should work with management to create a protocol for responding to identified security events, ensuring everyone knows their role in preventing incidents.

03 - Audit

fact_check

Audit / evidence tips

AskHow often are the logs from internet-facing servers analysed? GoodLogs are reviewed daily with automated alerts for suspicious activity
AskWhat tools are in place to help with log analysis? GoodLog monitoring software is in use and configured to alert for anomalies
AskWhat steps are taken when a security event is detected? GoodThere is a documented protocol involving immediate investigation and escalation to appropriate personnel

04 - Mappings

link

Cross-framework mappings

How E8-RA-ML2.9 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control	Notes	Details
layers Partially meets (2) expand_less
Annex A 8.15	E8-RA-ML2.9 requires timely analysis of event logs from internet-facing servers to detect cyber security events
Annex A 8.16	E8-RA-ML2.9 focuses on promptly analysing internet-facing server event logs to detect cyber security events

ASD ISM

Control	Notes	Details
layers Partially meets (1) expand_less
ISM-1228	E8-RA-ML2.9 requires event logs from internet-facing servers to be analysed in a timely manner to detect cyber security events
sync_alt Partially overlaps (6) expand_less
ISM-1607	ISM-1607 requires integrity monitoring and centralised event logging for shared server hardware using software isolation
ISM-1907	E8-RA-ML2.9 requires event logs from internet-facing servers to be analysed promptly to detect cyber security events
ISM-1960	E8-RA-ML2.9 requires timely analysis of event logs from internet-facing servers to detect cyber security events
ISM-1961	E8-RA-ML2.9 requires timely analysis of event logs from internet-facing servers to detect cyber security events
ISM-1986	E8-RA-ML2.9 requires prompt analysis of internet-facing server logs to detect cyber security events
ISM-1987	E8-RA-ML2.9 requires prompt analysis of internet-facing server logs to detect cyber security events
handshake Supports (4) expand_less
ISM-0120	ISM-0120 requires providing cyber security personnel with tools and data sources to monitor for indicators of compromise
ISM-0580	ISM-0580 requires an organisation to develop, implement and maintain an event logging policy to ensure events are recorded and monitored
ISM-1526	ISM-1526 requires system owners to continuously monitor system security and manage cyber threats, security risks and controls within defi...
ISM-1978	ISM-1978 requires security-relevant events for server applications on internet-facing servers to be centrally logged
link Related (1) expand_less
ISM-1906	E8-RA-ML2.9 requires event logs from internet-facing servers to be analysed in a timely manner to detect cyber security events

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.