Audit And Accountability
Collect audit information (e.g., logs) into one or more central repositories.
Aggregate and store audit logs in a centralized location or locations within the organization. Storing audit logs in a centralized location supports orchestration, automation, correlation, and analysis activities by enabling a full picture of the audit logs, and can support automated analysis capabilities including correlation of events across the enterprise. Ensure that the central repository has the appropriate infrastructure, including protection mechanisms, and the capacity level to meet the logging requirements of the organization. Example You are in charge of IT operations in your organization. Your responsibilities include reviewing audit logs. You consolidate all audit logs in a common format and into a centralized logging infrastructure that may consist of one or more servers. By doing this, you enable centralized analysis of your audit logs. This increases situational awareness across your network. In addition, you are able to better protect your audit logs by storing them in one centralized location.
Aggregate and store audit logs in a central location. Central repositories enable analysis by storing audit record content needed for analysis in a common location and format. Storing audit logs in central repositories also protects audit information. The repository has the available infrastructure, capacity, and protection mechanisms to meet the organization’s audit requirements. Policy and local laws may place requirements on the location and structure of the repositories.
CIS Controls v7.1 6.5
NIST SP 800-53 Rev 4 AU-6(4)
CERT RMM v1.2 COMP:SG3.SP1
AU.3.048.[a] the organization defines information system components that generate audit records whose content is to be centrally managed and configured;
AU.3.048.[b] the organization manages audit information in centralized repositories; and
AU.3.048.[c] the central repositories have the appropriate infrastructure and capacity to meet the organizationally defined logging requirements.