Timely analysis of event logs from non-internet-facing servers
Review logs of internal servers promptly to spot security threats.
Plain language
This control is about quickly checking the activity logs of your internal servers that don't connect to the internet. It's important because it helps you catch any unusual or harmful behaviour, which could indicate a security problem, before it becomes a bigger issue.
Framework
ASD Essential Eight
Control effect
Detective
E8 mitigation strategy
Restrict administrative privileges
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Official control statement
Event logs from non-internet-facing servers are analysed in a timely manner to detect cyber security events.
Why it matters
Unchecked internal server logs can conceal attacker footprints, enabling undetected lateral movement and privilege abuse, which jeopardises sensitive data.
Operational notes
Review non-internet-facing server logs daily via SIEM/alerts, triaging auth failures, new admin accounts, service changes and lateral movement indicators.
Implementation tips
- IT team should regularly review server logs to spot any strange activity by setting up a schedule to look at these logs daily or weekly.
- System administrator should use automated tools to alert them of suspicious patterns in logs by configuring alerts for anomalies or known threat indicators.
- Security officer should ensure logs are stored securely and remain unchanged by implementing access controls and secure storage solutions.
- IT team should conduct training for key staff on how to review logs effectively and identify potential threats during regular team meetings or training sessions.
Audit / evidence tips
-
AskHow often are the logs of non-internet-facing servers reviewed?
GoodLogs are reviewed daily or weekly as per the policy
-
AskWhat steps are taken to secure the logs?
GoodLogs are accessible only to authorised personnel and stored securely
-
AskAre there alerts set up for suspicious log activities?
GoodAlerts are configured to notify the IT team of anomalies immediately
Cross-framework mappings
How E8-RA-ML3.8 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (3) expand_less | ||
| ISM-1906 | E8-RA-ML3.8 requires timely analysis of event logs from non-internet-facing servers to detect cyber security events | |
| ISM-1961 | E8-RA-ML3.8 requires timely analysis of event logs from non-internet-facing servers to detect cyber security events | |
| ISM-1986 | E8-RA-ML3.8 requires timely analysis of event logs from non-internet-facing servers to detect cyber security events | |
| handshake Supports (3) expand_less | ||
| ISM-0120 | ISM-0120 requires cyber security personnel to have access to sufficient data sources and tools to monitor systems for key indicators of c... | |
| ISM-1625 | ISM-1625 requires the organisation to implement and maintain a program to mitigate insider threats, including monitoring and detection of... | |
| ISM-1979 | ISM-1979 requires centrally logging security-relevant events for server applications on non-internet-facing servers | |
| link Related (2) expand_less | ||
| ISM-1907 | E8-RA-ML3.8 requires event logs from non-internet-facing servers to be analysed in a timely manner to detect cyber security events | |
| ISM-1987 | ISM-1987 requires event logs from security products to be analysed in a timely manner to detect cyber security events | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.