Central Logging of Linux System Events
Important Linux system events should be logged in a central location for security purposes.
Plain language
This control is about making sure all important events happening on your Linux computers are recorded in one central place. It matters because if something goes wrong, like a security breach, you want to know exactly what happened and when. Without this logging, it would be challenging to spot issues or figure out how to fix them.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Operating system hardeningOfficial control statement
Security-relevant events for Linux operating systems are centrally logged.
Why it matters
Without central logging of Linux security events, attacks may go undetected and incident investigation is slowed due to missing or scattered audit trails.
Operational notes
Ensure Linux hosts forward security-relevant events (e.g. auth, sudo, kernel) to a central log server; monitor ingest health and review alerts for anomalies.
Implementation tips
- The IT team should decide which events need to be logged. They can do this by identifying key activities on Linux systems that involve access, changes, or errors. This can be achieved by reviewing the Linux system's capabilities and determining which logs will help in monitoring unusual actions.
- System administrators should set up a central logging system. They can install specific software that collects logs from all Linux systems to one location. Tools like syslog or rsyslog can be configured to automatically send logs from each computer to the central server.
- IT managers need to check that all systems are correctly logging. This involves periodically reviewing logs to make sure they are being sent from all Linux machines. They can do walk-throughs or run scripts that verify log files are up to date.
- The security team should review these logs regularly. Set a schedule for team members to go through logs to spot any unusual behaviour or access attempts. They can use tools that analyse the data and flag potential security incidents for further review.
- Business continuity planners should ensure backup processes are in place. This involves setting policies for backing up logs regularly so that even in the event of an attack, there's a history available to analyse. Digital storage must be checked to ensure data over time is preserved securely.
Audit / evidence tips
-
Askthe logging policy document: Request the policy that details which Linux system events are logged centrally
Gooddocument includes a comprehensive list that covers security and operational events necessary for your environment
-
Askevidence of software installation on the central server that collects logs. Check the installation logs and configuration files
Goodsetup would show consistent file updates, signifying active logging processes
-
Aska sample log report from the central repository: Request a sample of logs collected for a specific timeframe
Goodreport will show a variety of logged events and details like timestamps and the origin of each event
-
Aska planned schedule or checklist for regular log reviews
Goodschedule shows regular reviews with action points outlined to address any issues found
-
Askabout log backup procedures: Request documents that describe how logging data is backed up. Examine whether the procedures include regular frequency, storage location, and data protection measures
Goodbackup plan will exhibit clear protocols, secure storage solutions, and a regular backup routine
Cross-framework mappings
How ISM-1977 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (4) expand_less | ||
| E8-AC-ML2.5 | ISM-1977 requires security-relevant events for Linux operating systems to be centrally logged | |
| E8-MF-ML2.6 | ISM-1977 requires security-relevant events for Linux operating systems to be centrally logged | |
| E8-RA-ML2.6 | E8-RA-ML2.6 requires privileged access events to be centrally logged to detect and investigate misuse of elevated access | |
| E8-RA-ML2.7 | ISM-1977 requires security-relevant events for Linux operating systems to be centrally logged | |
| handshake Supports (1) expand_less | ||
| E8-AH-ML2.12 | E8-AH-ML2.12 requires command line process creation events to be centrally logged | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.