Central Logging for Network Device Events
Logs activities from internal network devices to keep track of security-related events.
Plain language
Central logging means keeping all the records of what your network devices are doing in one place, like having a detailed diary. This matters because if something goes wrong, like an unauthorised person trying to sneak into your network, you'll have the information needed to catch it and solve the problem quickly.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for networkingSection
Network design and configurationOfficial control statement
Security-relevant events for non-internet-facing network devices are centrally logged.
Why it matters
Without central logging of non-internet-facing network device events, unauthorised access or misuse may go undetected, delaying response and investigation.
Operational notes
Configure non-internet-facing network devices to forward security-relevant events to a central log system; verify coverage, time sync, retention and alerting on anomalies.
Implementation tips
- IT team: Set up a central logging system. This means choosing software or a tool that can collect and store logs from all your network devices in one place. Make sure it fits your budget and business size.
- System owner: Define which network events are important to log. Work with your IT team to decide what types of activities need monitoring, such as access attempts, changes to device settings, and unusual network traffic.
- IT team: Configure your network devices. Ensure that all devices on your network, like routers and switches, are set to send their logs to the central logging system. Check the instructions for each device to find out how to do this.
- Manager: Schedule regular reviews of your logs. Set up a timetable for when logs should be checked, such as weekly or monthly, to look for any suspicious activity. This could help catch issues early.
- HR: Train staff on security awareness. Educate your team about the importance of logs and how secure network practices help protect the business. This ensures everyone knows what to watch out for and report.
Audit / evidence tips
- AskThe central logging system logs: Request to see the logs collected in the central system over the past six months GoodIs complete logs with no data gaps, showing consistent data collection from all relevant devices
- AskThe list of network events being logged: Request the document or configuration file that details what types of events the network devices are set to log GoodShows a comprehensive list covering various security-relevant events
- AskThe procedure for log reviews: Request the written process or schedule used for checking the logs GoodIncludes a clear timetable and designated personnel responsible for reviews
- AskEvidence of response to logged events: Request records of any actions taken due to findings in the logs GoodIncludes documented cases with actions taken and outcomes
- AskStaff training records: Request documentation of security training sessions for staff GoodIncludes recent training on the importance of network logs and general security awareness
Cross-framework mappings
How ISM-1964 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.15 | ISM-1964 requires security-relevant events for non-internet-facing network devices to be centrally logged | |
| Annex A 8.20 | ISM-1964 requires central logging of security-relevant events from non-internet-facing network devices | |
| handshake Supports (1) expand_less | ||
| Annex A 5.28 | ISM-1964 requires security-relevant events for non-internet-facing network devices to be centrally logged | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.