Check: SRG-APP-000086-AU-000020
Central Log Server SRG:
SRG-APP-000086-AU-000020
(in versions v2 r2 through v1 r0.1)
Title
The Central Log Server must be configured to aggregate log records from organization-defined devices and hosts within its scope of coverage. (Cat III impact)
Discussion
If the application is not configured to collate records based on the time when the events occurred, the ability to perform forensic analysis and investigations across multiple components is significantly degraded. Centralized log aggregation must also include logs from databases and servers (e.g., Windows) that do not natively send logs using the syslog protocol.
Check Content
Examine the documentation that lists the scope of coverage for the specific log server being reviewed. Verify the system is configured to aggregate log records from organization-defined devices and hosts within its scope of coverage. If the Central Log Server is not configured to aggregate log records from organization-defined devices and hosts within its scope of coverage, this is a finding.
Fix Text
For each log server, configure the server to aggregate log records from organization-defined devices and hosts within its scope of coverage.
Additional Identifiers
Rule ID: SV-206449r395700_rule
Vulnerability ID: V-206449
Group Title: SRG-APP-000086
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000174 |
The information system compiles audit records from organization-defined information system components into a system-wide (logical or physical) audit trail that is time-correlated to within an organization-defined level of tolerance for relationship between time stamps of individual records in the audit trail. |
Controls
Number | Title |
---|---|
AU-12 (1) |
System-Wide / Time-Correlated Audit Trail |