Logging and Monitoring (CIS)

CIS Control 8 — Audit Log Management — covers the collection, protection and analysis of audit logs from systems and applications to detect, investigate and respond to security incidents. Logs are the evidence that makes it possible to understand what happened during an attack.

Back to Dictionary

What is audit log management?

Audit log management is the process of systematically collecting, storing, protecting and analysing log data from IT systems, applications and network devices. Without adequate logging, it is impossible to detect attacks in a timely fashion or investigate what occurred after an incident.

CIS Control 8 establishes a structured approach to logging that scales with an organisation's maturity — from basic log collection at Implementation Group 1 (IG1) to advanced correlation and anomaly detection at IG3.

What should be logged?

CIS Control 8 recommends logging, as a minimum:

Authentication events: Login, logout and failed login attempts.
Privileged actions: All administrator and elevated-privilege activity.
System events: Startup, shutdown and error conditions.
Network traffic: Firewall and DNS events.
Access to critical resources: File and system access on sensitive assets.
Configuration changes: Alterations to system or application settings.

Log retention and protection

Logs must be retained long enough to support incident investigation. CIS recommends a minimum of 90 days of active log retention and one year in archive. Logs must be protected against tampering — in practice by sending them to a centralised, read-only log platform that attackers cannot modify.

Time synchronisation: Accurate timestamps are essential for correlating logs across systems. All systems should be synchronised to a common time source via NTP (Network Time Protocol).

SIEM and centralised logging

A SIEM (Security Information and Event Management) system aggregates logs from all systems onto a single platform and enables correlation and automated anomaly detection. SIEM is typically an IG2/IG3 requirement, but even smaller organisations can benefit from centralised logging through cloud-based SIEM solutions. Effective log management works hand in hand with security logging practices and broader incident response capabilities.

Frequently Asked Questions about Logging and Monitoring (CIS)

What is CIS Control 8?

CIS Control 8 — Audit Log Management — covers the collection, protection and analysis of audit logs from enterprise assets and software to detect, investigate and respond to security incidents.

What should be logged under CIS Control 8?

CIS Control 8 recommends logging authentication events, privileged actions, system events, network traffic, access to critical resources and configuration changes as a minimum.

How long should logs be retained?

CIS recommends a minimum of 90 days of active log retention and one year in archive. The exact period should be determined by incident investigation needs and any regulatory requirements.

What is a SIEM and when is it needed?

A SIEM (Security Information and Event Management) system aggregates logs from multiple sources, enabling correlation and automated anomaly detection. It is typically an IG2/IG3 requirement under CIS Controls.

Why is time synchronisation important for logging?

Accurate timestamps are essential for correlating events across different systems during incident investigation. Without synchronised clocks, it becomes difficult to reconstruct the sequence of events in an attack.