Central Logging of Events on Internet-Facing Devices
Important events on internet-connected network devices are logged in a central location for security.
Plain language
This control is about keeping a watchful eye on important activities that happen on your internet-connected devices, like routers and firewalls, by recording these activities in a central place. It's crucial because if you don't keep track of these events, you might miss early signs of a cyber attack, leading to data breaches or service disruptions.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for networkingSection
Network design and configurationOfficial control statement
Security-relevant events for internet-facing network devices are centrally logged.
Why it matters
Without central logging of internet-facing devices, early signs of attacks can be missed, leading to undetected breaches and significant disruptions.
Operational notes
Forward security events from all internet-facing network devices to a central log platform (e.g., SIEM), validate time sync, and alert on failed logins, config changes and blocked traffic.
Implementation tips
- IT team should configure network devices to send logs to a central logging system. They can do this by accessing the device's settings and entering the address of the central logging system, which can be a server or a service dedicated to storing and managing logs.
- The IT manager should ensure the central logging system is regularly monitored. This can be done by assigning specific staff to review logs daily or using alerts for unusual activities. Ensure the team knows how to identify and react to suspicious activity.
- System owners should work with the IT team to identify which events need logging. They should make a list of key events (like failed login attempts or configuration changes) and ensure these are tracked. Regular meetings can help fine-tune what events are logged.
- IT team should check the logging system's capacity and reliability. They need to make sure the system can store enough data and is protected against cyber threats. They can set up regular tests to ensure it's functioning well.
- The IT team should implement regular training sessions for staff who use the logging system. This training should focus on how to access the logs, interpret them, and escalate concerns if suspicious activities are noticed.
Audit / evidence tips
-
Askthe central logging system's configuration records: Request documentation showing setup and settings for logging from internet-facing devices
Goodshould show all critical devices listed and a comprehensive set of events being logged
-
Askto see recent log files or reports: Request a sample of recent logs captured by the central logging system
Goodshows regular, meaningful logs that match significant network activities
-
Askincident response procedures: Request the procedures for investigating logged events
Goodincludes well-defined steps and assigned responsibilities for handling different types of events
-
Asktraining records: Request documentation of staff training sessions on the logging system
Goodshows regular training sessions with relevant staff attending
-
Asklog review records: Request records of when the logs were reviewed and by whom
Goodincludes detailed logs of reviews and appropriate follow-ups on any anomalies found
Cross-framework mappings
How ISM-1963 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.15 | ISM-1963 requires security-relevant events for internet-facing network devices to be centrally logged | |
| handshake Supports (2) expand_less | ||
| Annex A 8.16 | ISM-1963 requires security-relevant events for internet-facing network devices to be centrally logged | |
| Annex A 8.20 | ISM-1963 requires security-relevant events for internet-facing network devices to be centrally logged | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-AH-ML2.14 | E8-AH-ML2.14 requires timely analysis of event logs from internet-facing servers to detect cyber security events | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.