Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack.
[csf.tools Note: For more information on the Critical Security Controls, visit the Center for Internet Security.]
Use at least three synchronized time sources from which all servers and network devices retrieve time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as a event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for analysis and review.
Deploy Security Information and Event Management (SIEM) or log analytic tool for log correlation and analysis.
On a regular basis, review logs to identify anomalies or abnormal events.
On a regular basis, tune your SIEM system to better identify actionable events and decrease event noise.