How to
Collect Audit Logs
- SafeGuard 8.2
Here's a step-by-step guide to collecting audit logs and ensuring logging is enabled across enterprise assets, as per the requirements in CIS Control 8 - Audit Log Management, Implementation Group 1 (IG1):
Step 1: Identify Enterprise Assets:
-
Create a comprehensive inventory of all enterprise assets, including servers, workstations, network devices, applications, databases, and any other systems.
Step 2: Define Logging Requirements:
-
Determine the specific audit log data that needs to be collected for each type of asset. This could include login attempts, access to sensitive data, configuration changes, and more.
Step 3: Enable Logging:
-
Configure logging on each asset according to the defined requirements. Enable appropriate log sources, such as operating system logs, application logs, and network device logs.
Step 4: Centralized Log Collection:
-
Establish a centralized log collection mechanism that gathers logs from all assets and stores them in a secure and easily accessible location.
Step 5: Define Retention Policies:
-
Develop retention policies for audit logs based on regulatory requirements and your organization's needs. Determine how long logs should be retained before they're archived or deleted.
Step 6: Implement Access Controls:
-
Apply access controls to audit logs to ensure that only authorized personnel can view, modify, or delete them.
Step 7: Regular Monitoring:
-
Regularly monitor the collection and storage of audit logs to ensure they are functioning correctly and that no gaps exist.
This helps enhance your organization's incident response capabilities and overall security posture.
Step 8: Review and Alerts:
-
Configure log review processes and alerts to notify appropriate personnel when specific events or anomalies are detected in the logs.
Step 9: Regular Testing:
-
Conduct periodic tests to verify the effectiveness of log collection and monitoring. Test various scenarios to ensure logs capture the expected events.
Step 10: Audit Log Management Process:
-
Document the entire audit log management process, including procedures for enabling logging, configuring log sources, collecting and storing logs, reviewing logs, and responding to incidents based on log analysis.
Step 11: Training and Awareness:
-
Train relevant personnel on the importance of audit logs, how to enable logging on different assets, and how to interpret log entries.
Step 12: Annual Review:
-
Review and update the audit log management process annually to account for changes in technology, assets, and regulatory requirements.
Step 13: Continuous Improvement:
-
Continuously assess and improve your audit log management process based on feedback, lessons learned from incidents, and changes in the threat landscape.
as
By following these steps, you'll ensure that audit logs are collected and properly managed across your enterprise's assets, in alignment with the requirements of CIS18 Controls. This helps enhance your organization's incident response capabilities and overall security posture.