Timely analysis of event logs from non-internet-facing servers
Review logs of internal servers promptly to spot security threats.
🏛️ Framework
ASD Essential Eight
🧭 Control effect
Detective
🛠️ E8 mitigation strategy
Restrict administrative privileges
🔐 Classifications
N/A
🗓️ Official last update
N/A
✏️ Control Stack last updated
19 Mar 2026
🎯 E8 maturity levels
ML3
Event logs from non-internet-facing servers are analysed in a timely manner to detect cyber security events.
Source: ASD Essential Eight
Plain language
This control is about quickly checking the activity logs of your internal servers that don't connect to the internet. It's important because it helps you catch any unusual or harmful behaviour, which could indicate a security problem, before it becomes a bigger issue.
Why it matters
Unchecked internal server logs can conceal attacker footprints, enabling undetected lateral movement and privilege abuse, which jeopardises sensitive data.
Operational notes
Review non-internet-facing server logs daily via SIEM/alerts, triaging auth failures, new admin accounts, service changes and lateral movement indicators.
Implementation tips
- IT team should regularly review server logs to spot any strange activity by setting up a schedule to look at these logs daily or weekly.
- System administrator should use automated tools to alert them of suspicious patterns in logs by configuring alerts for anomalies or known threat indicators.
- Security officer should ensure logs are stored securely and remain unchanged by implementing access controls and secure storage solutions.
- IT team should conduct training for key staff on how to review logs effectively and identify potential threats during regular team meetings or training sessions.
Audit / evidence tips
-
Ask: How often are the logs of non-internet-facing servers reviewed?
Good: Logs are reviewed daily or weekly as per the policy
-
Ask: What steps are taken to secure the logs?
Good: Logs are accessible only to authorised personnel and stored securely
-
Ask: Are there alerts set up for suspicious log activities?
Good: Alerts are configured to notify the IT team of anomalies immediately
Cross-framework mappings
How E8-RA-ML3.8 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (3) | ||
| ISM-1906 | E8-RA-ML3.8 requires timely analysis of event logs from non-internet-facing servers to detect cyber security events | |
| ISM-1961 | E8-RA-ML3.8 requires timely analysis of event logs from non-internet-facing servers to detect cyber security events | |
| ISM-1986 | E8-RA-ML3.8 requires timely analysis of event logs from non-internet-facing servers to detect cyber security events | |
| Supports (3) | ||
| ISM-0120 | ISM-0120 requires cyber security personnel to have access to sufficient data sources and tools to monitor systems for key indicators of c... | |
| ISM-1625 | ISM-1625 requires the organisation to implement and maintain a program to mitigate insider threats, including monitoring and detection of... | |
| ISM-1979 | ISM-1979 requires centrally logging security-relevant events for server applications on non-internet-facing servers | |
| Related (2) | ||
| ISM-1907 | E8-RA-ML3.8 requires event logs from non-internet-facing servers to be analysed in a timely manner to detect cyber security events | |
| ISM-1987 | ISM-1987 requires event logs from security products to be analysed in a timely manner to detect cyber security events | |