Skip to content
arrow_back
ISM-1979
search
ISM-1979 policy ASD Information Security Manual (ISM)

Central Logging for Security Events on Servers

Record important server activities in a central system to monitor non-internet-connected servers.

Detective NC OS P ASD Information Security ManualGuidelines for system hardeningloggingaudit trailmonitoring
record_voice_over

Plain language

This control ensures that all important activities happening on your servers that don't connect to the internet are recorded in one central place. This is crucial because if something goes wrong, you'll have a record to find out what happened. Missing these records could leave you blind to a hack, data theft, or software failure, putting your business at risk.

Framework

ASD Information Security Manual (ISM)

Control effect

Detective

Classifications

NC, OS, P, S, TS

ISM last updated

Nov 2024

Control Stack last updated

19 Mar 2026

E8 maturity levels

N/A

Guideline

Guidelines for system hardening

Section

Server application hardening

Topic

Server Application Event Logging

Official control statement

Security-relevant events for server applications on non-internet-facing servers are centrally logged.
policy ASD Information Security Manual (ISM) ISM-1979
priority_high

Why it matters

Without central logging, security events on non-internet-facing server applications may be missed, delaying detection and investigation of compromise or data leakage.

settings

Operational notes

Forward server application security event logs to a central log server/SIEM; verify coverage and time sync. Review and alert weekly for failed logins, privilege changes and errors.

build

Implementation tips

  • The IT team should set up a system that collects logs from all non-internet-facing servers. They can do this by configuring each server to send its logs – which are like digital activity diaries – to one computer that collects them all. This ensures all important actions are recorded in one spot.
  • Managers should ensure the logs are checked regularly. They can do this by setting up a weekly schedule where a trained staff member reviews the logs for any unusual activity. This keeps them alert to potential issues early.
  • System owners should decide which activities need logging by working with the IT team to identify what's most critical, like login attempts or software changes. This ensures that no important events are missed.
  • The IT team should put in place alerts for unusual activities. They can set up the logging system to automatically flag strange patterns, like many failed login attempts, so they can react quickly if something's wrong.
  • Business leaders should allocate resources for training staff on how to understand and use logs. This could be a short course explaining what logs are and how to spot unusual activity, empowering everyone to contribute to security.
fact_check

Audit / evidence tips

  • Askthe central logging setup documentation: Request the documents or settings that show how server logs are collected centrally

    Goodincludes screenshots or printouts of this setup clearly showing active configurations

  • Askthe log review schedule and records: Request evidence of regular log review

    Goodhas dated logs of reviews, findings, and any actions taken

  • Aska list of activities identified for logging: Check if there is a documented list of what events need to be logged from each server. Good evidence includes a document showing these specific activities and reasons for selection

  • Askto see alert configurations: Request evidence of alerts set up for unusual activities in the logs. Examine screenshots or settings showing these automated alerts

    Goodshows active alerts for key events like failed login attempts

  • Askstaff training records: Request evidence of any training sessions held on server log monitoring. Check for attendance records, training materials, and feedback

    Goodincludes a completed training register with dates and participant names

link

Cross-framework mappings

How ISM-1979 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

ISO 27001

Control Notes Details
layers Partially meets (1) expand_less
Annex A 8.15 ISM-1979 requires security-relevant events for server applications on non-internet-facing servers to be centrally logged
link Related (1) expand_less
Annex A 8.16 Annex A 8.16 requires monitoring of networks, systems and applications for anomalous behaviour with actions taken to evaluate possible in...

E8

Control Notes Details
sync_alt Partially overlaps (1) expand_less
E8-AC-ML2.5 ISM-1979 requires security-relevant events for server applications on non-internet-facing servers to be centrally logged
handshake Supports (2) expand_less
E8-MF-ML3.4 ISM-1979 requires central logging of security-relevant events for server applications on non-internet-facing servers
E8-RA-ML3.8 ISM-1979 requires centrally logging security-relevant events for server applications on non-internet-facing servers
extension Depends on (1) expand_less
E8-AH-ML3.4 E8-AH-ML3.4 requires event logs from non-internet-facing servers to be analysed in a timely manner to detect cyber security events

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

Mapping detail

Mapping

Direction

Controls