Implement a Centralised Event Logging Facility
Ensure all event logs are collected and managed in one central location for analysis and security monitoring.
Plain language
Having a central spot where all your system's event logs are gathered is like having a single bulletin board where you can track everything going on in your business. This matters because if you can't see what's happening across all your systems, you might miss warning signs of a security threat or system issue, which could cost you time, money, or damage your reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system monitoringSection
Event logging and monitoringOfficial control statement
A centralised event logging facility is implemented.
Why it matters
Without a centralised event logging facility, security events are fragmented across systems, delaying detection and investigation of suspicious activity and increasing incident impact.
Operational notes
Centralise logs from key systems, normalise formats, and enforce time synchronisation (NTP). Monitor and alert regularly, and set retention to support investigations and trend analysis.
Implementation tips
- The IT team should set up a centralised logging system. Start by choosing a tool that collects logs from all your systems into one place—this could be software that runs on your server or a cloud-based service. Ensure it can handle the volume of logs your organisation generates.
- System administrators should configure each system to send logs to the central logging facility. Check the system's settings to find how to export logs and use the provided documentation to route these to the central logging system.
- Managers should inform staff about the importance of logging certain events. Schedule training sessions to teach employees what activities must be logged and the importance of these logs to the organisation's security and operations.
- The security team should analyse the collected logs regularly. Use the central logging system's analysis features to look for patterns or unusual activities that could indicate a threat or issue.
- IT support staff should maintain the logging system. Regularly check that logs from all systems are being received correctly and troubleshoot any issues promptly, ensuring the system's centralised nature remains intact.
Audit / evidence tips
-
Aska document listing all systems connected to the central logging facility
Goodis a comprehensive list with all business systems included and an assigned date for each connection
-
Goodresult shows logs originating from different systems consistently over recent periods
-
Askthe log analysis reports
Goodincludes up-to-date reports that have been reviewed regularly by the named security team members
-
Goodis a completed training register that links the training to improved logging practices
-
Askthe system maintenance records for the logging facility. Ensure these logs show regular checks and prompt addressing of issues
Goodresult shows routine maintenance entries and quick resolution of any problems
Cross-framework mappings
How ISM-1405 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.15 | ISM-1405 requires a centralised event logging facility to collect and manage event logs in one location | |
| handshake Supports (1) expand_less | ||
| Annex A 8.14 | Annex A 8.14 requires systems to use synchronised clocks against an authorised time source to ensure timestamps can be trusted and correl... | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| handshake Supports (1) expand_less | ||
| extension Depends on (5) expand_less | ||
| link Related (1) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.