Central Logging for Gateway Security Events
Log gateway events and alerts to monitor data flows and detect intrusion attempts.
Plain language
This control is about making sure all the important activities happening at your internet gateways are logged and tracked. By doing this, you can catch any suspicious attempts to access or send data through your network. If you skip this, you might miss warning signs of a potential data breach or hacker, which could lead to loss of sensitive information and a damaged reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Security-relevant events for gateways are centrally logged, including: - data packets and data flows permitted through gateways - data packets and data flows attempting to leave gateways - real-time alerts for attempted intrusions.
Why it matters
Failure to centrally log gateway packet/flow events and intrusion alerts can hide data exfiltration paths and successful intrusion attempts, increasing breach impact.
Operational notes
Centrally collect gateway permit/deny flow logs and intrusion alerts; regularly validate log delivery, retention, and alert tuning to detect exfiltration attempts.
Implementation tips
- The IT team should set up centralised logging for all gateway activities. They can do this by using a software system that collects and stores logs from all network gateways in one place, making it easier to monitor unusual activity.
- The system administration team should configure alerts for any suspicious attempts to bypass the gateway. They can set these alerts to notify them by email or SMS whenever unusual behaviour is detected, so they can act quickly.
- Managers should schedule regular reviews of the gateway logs. They should work with IT to look at these logs to spot any trends or patterns that might suggest security issues, doing this at least once a month.
- The IT team should ensure that logs are kept safely and cannot be tampered with. This means setting permissions so that only authorised personnel can access and modify logs.
- Business owners or managers should invest in training for their staff on how to recognise and report suspicious activity in the logs. This training can be done through workshops or online modules, enhancing the organisation's overall security posture.
Audit / evidence tips
- AskThe central log server's configuration report GoodA documented setup that lists each gateway logging to the central system
- GoodLogs showing a consistent format with detailed timestamped entries
- AskThe alert configuration documentation. Examine how alerts are set up and whom they notify GoodAn alert system configured to notify IT personnel in real-time with details of potential security incidents
- GoodA log review schedule with meeting minutes or findings reports
- AskStaff training records relevant to log analysis and incident handling GoodA record showing recent training sessions attended by key staff with their names and training dates
Cross-framework mappings
How ISM-0634 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.15 | ISM-0634 requires security-relevant events for gateways to be centrally logged, specifically covering permitted flows, attempted egress, ... | |
| handshake Supports (1) expand_less | ||
| Annex A 8.16 | ISM-0634 requires central logging of gateway traffic and intrusion-related alerts to provide visibility of network flows through gateways | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-MF-ML2.8 | E8-MF-ML2.8 requires timely analysis of event logs from internet-facing servers to detect cyber security events | |
| handshake Supports (1) expand_less | ||
| E8-AC-ML2.6 | E8-AC-ML2.6 requires that event logs are protected from unauthorised modification and deletion | |
| extension Depends on (1) expand_less | ||
| E8-AH-ML2.15 | E8-AH-ML2.15 requires timely analysis of cyber security events to identify incidents | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.