Central Logging for Network Device Events
Logs activities from internal network devices to keep track of security-related events.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Detective
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Aug 2024
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Guideline
Guidelines for networkingSection
Network design and configurationSecurity-relevant events for non-internet-facing network devices are centrally logged.
Source: ASD Information Security Manual (ISM)
Plain language
Central logging means keeping all the records of what your network devices are doing in one place, like having a detailed diary. This matters because if something goes wrong, like an unauthorised person trying to sneak into your network, you'll have the information needed to catch it and solve the problem quickly.
Why it matters
Without central logging of non-internet-facing network device events, unauthorised access or misuse may go undetected, delaying response and investigation.
Operational notes
Configure non-internet-facing network devices to forward security-relevant events to a central log system; verify coverage, time sync, retention and alerting on anomalies.
Implementation tips
- IT team: Set up a central logging system. This means choosing software or a tool that can collect and store logs from all your network devices in one place. Make sure it fits your budget and business size.
- System owner: Define which network events are important to log. Work with your IT team to decide what types of activities need monitoring, such as access attempts, changes to device settings, and unusual network traffic.
- IT team: Configure your network devices. Ensure that all devices on your network, like routers and switches, are set to send their logs to the central logging system. Check the instructions for each device to find out how to do this.
- Manager: Schedule regular reviews of your logs. Set up a timetable for when logs should be checked, such as weekly or monthly, to look for any suspicious activity. This could help catch issues early.
- HR: Train staff on security awareness. Educate your team about the importance of logs and how secure network practices help protect the business. This ensures everyone knows what to watch out for and report.
Audit / evidence tips
-
Ask: the central logging system logs: Request to see the logs collected in the central system over the past six months
Good: is complete logs with no data gaps, showing consistent data collection from all relevant devices
-
Ask: the list of network events being logged: Request the document or configuration file that details what types of events the network devices are set to log
Good: shows a comprehensive list covering various security-relevant events
-
Ask: the procedure for log reviews: Request the written process or schedule used for checking the logs
Good: includes a clear timetable and designated personnel responsible for reviews
-
Ask: evidence of response to logged events: Request records of any actions taken due to findings in the logs
Good: includes documented cases with actions taken and outcomes
-
Ask: staff training records: Request documentation of security training sessions for staff
Good: includes recent training on the importance of network logs and general security awareness
Cross-framework mappings
How ISM-1964 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (2) | ||
| Annex A 8.15 | ISM-1964 requires security-relevant events for non-internet-facing network devices to be centrally logged | |
| Annex A 8.20 | ISM-1964 requires central logging of security-relevant events from non-internet-facing network devices | |
| Supports (1) | ||
| Annex A 5.28 | ISM-1964 requires security-relevant events for non-internet-facing network devices to be centrally logged | |