Central Logging for Microsoft AD Server Activities
Log important actions on Microsoft AD servers in a central location for better monitoring.
Plain language
This control means that actions taken on Microsoft Active Directory servers should be recorded in a central spot. This is important because if something goes wrong, like a security breach, you want to quickly find out what happened and who did what, so you can fix it and prevent it from happening again.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
Security-relevant events for Microsoft AD DS domain controllers, Microsoft AD CS CA servers, Microsoft AD FS servers and Microsoft Entra Connect servers are centrally logged.
Why it matters
Without central logging, AD DS/CS/FS and Entra Connect security events may be missed, delaying detection, response and recovery.
Operational notes
Configure domain controllers, AD CS/FS and Entra Connect to forward security-relevant events to a central log store; review alerts regularly.
Implementation tips
- IT team should set up a central logging system: They need to ensure that all actions from Active Directory servers are sent to a centralised location. This can be done by using built-in tools within Windows to send logs to a chosen server where they are stored and monitored.
- System owners should regularly review logs: Schedule a weekly check of these logs to spot any unusual activities. They can use simple reporting tools to pull out logs from the central system and examine them for signs of trouble.
- Managers should ensure their team is trained to understand logs: Provide basic training sessions for staff responsible for reviewing these logs. Training should cover how to read the logs for signs of security events and what actions to take if something suspicious is found.
- IT administrators should implement automated alerts: Set up alerts to notify the team when specific suspicious activities occur. This can be set by configuring thresholds or patterns that once matched, trigger an email or message alert to administrators.
- System owners should create a log retention policy: Decide how long logs need to be kept based on your organisation’s needs and legal requirements. This involves setting configurations in your central logging system to automatically delete older logs after this period.
Audit / evidence tips
-
Askthe logging configuration documentation: Request the document that details how logging is set up for Active Directory servers
Gooda document with step-by-step setup instructions and the location of the central log repository
-
Askrecent log review reports
Gooda report showing regular log checks, dates of review, and actions taken if any issues were found
-
Askthe training materials used for log review training: Request slides or notes from sessions given to staff
Goodmaterials outlining log interpretation skills and a schedule of past sessions
-
Askalert configuration settings: Request the settings that define how alerts are triggered from logs
Gooda list of configured alerts with explanations of why they are set and how they notify people
-
Askthe log retention policy document: Request information on how long logs are kept
Gooda clear policy document showing retention timelines and methods for secure deletion of old logs
Cross-framework mappings
How ISM-1830 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.15 | ISM-1830 requires central logging of security-relevant events specifically for Microsoft AD DS, AD CS, AD FS and Entra Connect servers | |
| handshake Supports (1) expand_less | ||
| Annex A 8.16 | ISM-1830 requires that security-relevant events on Microsoft AD-related servers are centrally logged | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| E8-RA-ML2.6 | ISM-1830 requires security-relevant events for Microsoft AD DS domain controllers, AD CS CA servers, AD FS servers and Microsoft Entra Co... | |
| sync_alt Partially overlaps (1) expand_less | ||
| E8-MF-ML2.7 | ISM-1830 requires security-relevant events for Microsoft AD DS, AD CS, AD FS and Entra Connect servers to be centrally logged | |
| handshake Supports (1) expand_less | ||
| E8-AH-ML2.15 | ISM-1830 requires central logging of security-relevant events from Microsoft AD DS, AD CS, AD FS and Entra Connect servers | |
| extension Depends on (2) expand_less | ||
| E8-AC-ML3.4 | E8-AC-ML3.4 requires organisations to analyse event logs from non-internet-facing servers in a timely manner to detect cyber security events | |
| E8-MF-ML3.4 | E8-MF-ML3.4 requires timely analysis of event logs from non-internet-facing servers to detect cyber security events | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.