Information Security

CIS Control 8 - Audit Log Management

Last modified 6/28/2021

Audit Log Management


Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.


Log collection and analysis is critical for an enterprise’s ability to detect malicious activity quickly. Sometimes audit records are the only evidence of a successful attack. Attackers know that many enterprises keep audit logs for compliance purposes, but rarely analyze them. Attackers use this knowledge to hide their location, malicious software, and activities on victim machines. Due to poor or nonexistent log analysis processes, attackers sometimes control victim machines for months or years without anyone in the target enterprise knowing.

There are two types of logs that are generally treated and often configured independently: system logs and audit logs. System logs typically provide system-level events that show various system process start/end times, crashes, etc. These are native to systems, and take less configuration to turn on. Audit logs typically include user-level events—when a user logged in, accessed a file, etc.—and take more planning and effort to set up.

Logging records are also critical for incident response. After an attack has been detected, log analysis can help enterprises understand the extent of an attack. Complete logging records can show, for example, when and how the attack occurred, what information was accessed, and if data was exfiltrated. Retention of logs is also critical in case a follow-up investigation is required or if an attack remained undetected for a long period of time.


All University assets must be configured to be compliant with the Safeguards of Control 8: Audit Log Management from version 8 of the CIS Controls based on the applicable, corresponding Implementation Group (IG) of the owning business unit.

More information about Implementation Groups can be found here:

SafeguardControl Title
(Links to Information Security Office Guidance)
IG 1IG 2IG 3


Collect Audit Logs
8.3Ensure Adequate Audit Log Storage
8.4Standardize Time Synchronization
8.5Collect Detailed Audit Logs
8.6Collect DNS Query Audit Logs
8.7Collect URL Request Audit Logs


Collect Command-Line Audit Logs
8.9Centralize Audit Logs
8.10Retain Audit Logs
8.11Conduct Audit Log Reviews
8.12Collect Service Provider Logs

Additional Information

The following items are to provide context or better understanding of this standard:

  • Requesting an Exemption

In the event that this standard cannot be met, an exemption can be requested and will be evaluated on a case-by-case basis. All exemptions will require documentation of the system, the data use on the system, the reason the standard cannot be met, ISO approval, and then executive approval from the requesting area acknowledging and accepting risk.

Exemptions can be requested according to the published Security Exemption Procedure using the Security Exemption Request Form.

  • CIS Controls v8 License Statement

This work is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Public License (the link can be found at To further clarify the Creative Commons license related to the CIS Controls content, you are authorized to copy and redistribute the content as a framework for use by you, within your organization and outside of your organization, for non-commercial purposes only, provided that (i) appropriate credit is given to CIS, and (ii) a link to the license is provided. Additionally, if you remix, transform, or build upon the CIS Controls, you may not distribute the modified materials. Users of the CIS Controls framework are also required to refer to ( when referring to the CIS Controls in order to ensure that users are employing the most up-to-date guidance. Commercial use of the CIS Controls is subject to the prior approval of CIS® (Center for Internet Security, Inc.®).