Does your organization centralize log data by continuously transferring logs from multiple sources to a consolidated set of log servers?
Explanation
Centralizing logs on dedicated servers improves security monitoring capabilities by creating a single location for analysis, correlation, and alerting on security events.
This approach protects log integrity by separating logs from the systems that generate them, making it harder for attackers to tamper with evidence of their activities. It also simplifies compliance requirements by standardizing log management and retention practices across the organization.
Evidence could include documentation of the log collection architecture showing log sources and destination servers, screenshots of log aggregation tool configurations, or a network diagram illustrating the log data flow from source systems to centralized log servers.
Implementation Example
Constantly transfer log data generated by other sources to a relatively small number of log servers
ID: DE.AE-03.294
Context
- Function
- DE: DETECT
- Category
- DE.AE: Adverse Event Analysis
- Sub-Category
- Information is correlated from multiple sources
Related questions
- Has your organization established and maintained a baseline of network operations and expected data flows for users and systems?
- Does your organization use SIEM or similar tools to continuously monitor log events for malicious and suspicious activity?
- Does your organization integrate current cyber threat intelligence feeds into your log analysis and monitoring tools?
- Does your organization conduct regular manual reviews of log events for systems that cannot be adequately monitored through automated means?
- Does your organization utilize log analysis tools to generate actionable reports from log data?
- Does your organization implement event correlation technology (such as SIEM) to aggregate and analyze security events from multiple sources?

