Central Logging for Security Events on Servers
Record important server activities in a central system to monitor non-internet-connected servers.
Plain language
This control ensures that all important activities happening on your servers that don't connect to the internet are recorded in one central place. This is crucial because if something goes wrong, you'll have a record to find out what happened. Missing these records could leave you blind to a hack, data theft, or software failure, putting your business at risk.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
Security-relevant events for server applications on non-internet-facing servers are centrally logged.
Why it matters
Without central logging, security events on non-internet-facing server applications may be missed, delaying detection and investigation of compromise or data leakage.
Operational notes
Forward server application security event logs to a central log server/SIEM; verify coverage and time sync. Review and alert weekly for failed logins, privilege changes and errors.
Implementation tips
- The IT team should set up a system that collects logs from all non-internet-facing servers. They can do this by configuring each server to send its logs – which are like digital activity diaries – to one computer that collects them all. This ensures all important actions are recorded in one spot.
- Managers should ensure the logs are checked regularly. They can do this by setting up a weekly schedule where a trained staff member reviews the logs for any unusual activity. This keeps them alert to potential issues early.
- System owners should decide which activities need logging by working with the IT team to identify what's most critical, like login attempts or software changes. This ensures that no important events are missed.
- The IT team should put in place alerts for unusual activities. They can set up the logging system to automatically flag strange patterns, like many failed login attempts, so they can react quickly if something's wrong.
- Business leaders should allocate resources for training staff on how to understand and use logs. This could be a short course explaining what logs are and how to spot unusual activity, empowering everyone to contribute to security.
Audit / evidence tips
-
Askthe central logging setup documentation: Request the documents or settings that show how server logs are collected centrally
Goodincludes screenshots or printouts of this setup clearly showing active configurations
-
Askthe log review schedule and records: Request evidence of regular log review
Goodhas dated logs of reviews, findings, and any actions taken
-
Aska list of activities identified for logging: Check if there is a documented list of what events need to be logged from each server. Good evidence includes a document showing these specific activities and reasons for selection
-
Askto see alert configurations: Request evidence of alerts set up for unusual activities in the logs. Examine screenshots or settings showing these automated alerts
Goodshows active alerts for key events like failed login attempts
-
Askstaff training records: Request evidence of any training sessions held on server log monitoring. Check for attendance records, training materials, and feedback
Goodincludes a completed training register with dates and participant names
Cross-framework mappings
How ISM-1979 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.15 | ISM-1979 requires security-relevant events for server applications on non-internet-facing servers to be centrally logged | |
| link Related (1) expand_less | ||
| Annex A 8.16 | Annex A 8.16 requires monitoring of networks, systems and applications for anomalous behaviour with actions taken to evaluate possible in... | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-AC-ML2.5 | ISM-1979 requires security-relevant events for server applications on non-internet-facing servers to be centrally logged | |
| handshake Supports (2) expand_less | ||
| E8-MF-ML3.4 | ISM-1979 requires central logging of security-relevant events for server applications on non-internet-facing servers | |
| E8-RA-ML3.8 | ISM-1979 requires centrally logging security-relevant events for server applications on non-internet-facing servers | |
| extension Depends on (1) expand_less | ||
| E8-AH-ML3.4 | E8-AH-ML3.4 requires event logs from non-internet-facing servers to be analysed in a timely manner to detect cyber security events | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.