Central Logging of Windows Security Events
Important Windows security events are collected in a central location to monitor system activities.
Plain language
This control means collecting important security events from all Windows computers in one central spot. It's like having a single dashboard to see any unusual activity on your systems. If you don't do this, you might miss signs that someone is trying to hack into your network, which could lead to data breaches or other security problems.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2024
Control Stack last updated
19 May 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Operating system hardeningOfficial control statement
Security-relevant events for Microsoft Windows operating systems are centrally logged.
Why it matters
Without central logging of Windows Security events (e.g., logons, privilege use), attacks may not be correlated across hosts, delaying response and increasing breach likelihood.
Operational notes
Configure Windows Security Event Log forwarding (e.g., WEF/agent) to a central SIEM, validate coverage, and alert on failed logons, privilege changes and audit policy tampering.
Implementation tips
- IT team: Gather up event logs from all Windows computers in your network and send them to a central logging system. Use a program or tool specifically designed for this task so that it automatically collects and aggregates logs, making sure nothing is missed.
- System administrator: Set up alerts for specific security events that could indicate an issue, like a failed login attempt or changes to important system files. Use the logging system’s alert features to be notified immediately when suspicious activity occurs.
- IT manager: Ensure the central logging system is properly secured and only accessed by authorised personnel. Set access controls so that only people who need to see these logs can access them, reducing the risk of insider threats.
- Security officer: Regularly review the central logs for patterns of unusual activity. Look through the logs on a weekly basis to identify any trends or recurring issues that may need further investigation.
- Training coordinator: Provide training for staff responsible for monitoring and interpreting the logs. Organise sessions to teach them what to look for and how to respond to different types of security events.
Audit / evidence tips
- AskCentral logging system access logs GoodOnly authorised personnel accessed the logs; no unusual access patterns appear
- AskConfiguration settings of the logging tool GoodConfiguration confirms logs are gathered and sent centrally without omissions
- AskEvidence of security event alerts setup GoodClear trigger events for alerts, like multiple failed logins and key system file changes, are in place
- AskRecent incident response records GoodDocumented responses show quick action taken on logged security events, with outcomes recorded
- AskTraining records for logging system handlers GoodStaff attended training sessions and can demonstrate knowledge of system use and security response procedures
Cross-framework mappings
How ISM-0582 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.15 | ISM-0582 stipulates centrally logging security-relevant events on Windows systems | |
| link Related (1) expand_less | ||
| Annex A 8.16 | Annex A 8.16 requires ongoing monitoring for anomalous behaviour across networks and systems and taking action to evaluate potential inci... | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (4) expand_less | ||
| handshake Supports (1) expand_less | ||
| extension Depends on (1) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.