Centralised Logging for Server Application Events
Log important events centrally for applications on internet-facing servers for security monitoring.
Plain language
This control is about making sure that important events happening on your company's internet-connected servers are collected in one central place. This is crucial because it helps in spotting security issues early on. If this isn't done, you might miss a security breach, which could lead to loss of data, harm to your business's reputation, or costly downtime.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
Security-relevant events for server applications on internet-facing servers are centrally logged.
Why it matters
Without centralised logging of security-relevant server application events on internet-facing servers, attacks may be missed, delaying response and increasing breach impact.
Operational notes
Forward server application security events from internet-facing servers to a central log platform, retain them, and alert on failures, auth anomalies, and error spikes.
Implementation tips
- IT team should set up a central logging system: Use logging software to capture key events from all servers that are connected to the internet. This means configuring each server to send its event logs, like user logins and software updates, to a main server where they can be reviewed.
- Managers need to choose the right logging tool: Discuss with your IT provider to select a tool that fits your business size and budget. Make sure the tool can handle the amount of data your servers generate and has alert features for unusual activity.
- System owners should define what to log: Work with the IT team to identify which server events are important, like failed login attempts or software changes. Focus on events that could indicate a security threat or need a quick response.
- IT staff must ensure secure access to logs: Set up access controls so only authorised personnel can view logs. This might involve setting up user accounts with the right permissions on the logging tool.
- Regularly review the logs: Appoint a security team member to check the logs weekly for suspicious activities. Provide them with a checklist of potential warnings, like repeated failed login attempts or unauthorised changes to server settings.
Audit / evidence tips
-
Askthe logging policy: Request the document showing what types of server events are logged
Goodpolicy clearly outlines event types, their importance, and is signed by an IT or security manager
-
Asklogs from the central system: Request a sample of logs from a recent period. Check whether these logs include various event types from different servers. Good logs should show a complete picture with timestamps, event details, and source servers
-
Askaccess control lists for the logging system: Ensure there is a list of who can access the logs. Check for roles and permissions assigned to different users
Goodshows only authorised personnel have access, with evidence of role-based permissions
-
Askincident reports: Request recent reports of suspicious activity detections. Review the steps taken after such detections. Good reports should follow a consistent process from detection to resolution and show results of the action taken
-
Askmaintenance records: Request logs of regular logging system checks. Check these records for dates, updates made, and any issues found. Good records should show consistent system maintenance and troubleshooting resolutions
Cross-framework mappings
How ISM-1978 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.15 | ISM-1978 requires security-relevant events for server applications on internet-facing servers to be centrally logged | |
| Annex A 8.16 | ISM-1978 requires security-relevant events for server applications on internet-facing servers to be centrally logged | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-AC-ML2.5 | E8-AC-ML2.5 requires organisations to centrally log allowed and blocked application control events | |
| handshake Supports (1) expand_less | ||
| E8-RA-ML2.9 | ISM-1978 requires security-relevant events for server applications on internet-facing servers to be centrally logged | |
| extension Depends on (3) expand_less | ||
| E8-AC-ML2.7 | E8-AC-ML2.7 requires timely analysis of event logs from internet-facing servers to detect cyber security events | |
| E8-MF-ML2.8 | E8-MF-ML2.8 requires timely analysis of event logs from internet-facing servers to detect cyber security events | |
| E8-AH-ML2.14 | E8-AH-ML2.14 requires timely analysis of event logs from internet-facing servers to detect cyber security events | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.