Project History & Origin
This project originated in the mid-2000s, when Security Information and Event Management (SIEM) and log management tools were still developing. Handling cybersecurity incidentsβespecially within traditional government organizationsβpresented significant challenges due to the absence of standardized practices for auditing and logging.
Mid-2000s
Project initiated
Project initiated
Early 2007
Initial draft completed
Initial draft completed
2007-2008
Refined by colleagues
Refined by colleagues
Dec 2008
Final document published
Final document published
To address this gap in standardized practices, a unified set of guidelines for implementing effective auditing and logging in systems and applications was developed. The final document, Guidelines for Auditing and Logging, was published in December 2008 and serves as a foundational reference for organizations seeking to strengthen their logging and auditing practices.
Core Principles
π CompletenessLog all relevant security events across systems, applications, and infrastructure.
π‘οΈ Integrity ProtectionLogs protected from tampering, deletion, or unauthorized modification.
π TimelinessReal-time or near-real-time log collection and alerting.
βοΈ AdmissibilityLogs meet evidentiary standards for legal proceedings.
π ActionabilityLogs structured and normalized for automated alerting and correlation.
π ConfidentialitySensitive log data protected from unauthorized access.
Essential Log Types
π₯οΈ Operating System LogsSecurity logs, system logs, application logs, setup logs
π Network Device LogsFirewall, router/switch, IDS/IPS, VPN, proxy, DNS logs
πΎ Database LogsAccess logs, audit trails, transaction logs, schema changes
π§ Application LogsWeb server logs, email logs, API logs, custom audit trails
π Authentication LogsLogins, privilege escalations, account lockouts, MFA events
βοΈ Cloud & SaaS LogsCloudTrail, Azure Activity Logs, O365 audit logs, CASB logs
Auditing Framework
| Phase | Activities | Documentation |
|---|---|---|
| 1. Audit Planning | Define scope, objectives, criteria | Audit charter, risk assessment |
| 2. Evidence Collection | Gather logs, verify integrity | Evidence log, chain of custody |
| 3. Analysis & Testing | Correlate events, identify gaps | Gap analysis, exception reports |
| 4. Reporting | Document findings, recommendations | Audit report, remediation plan |
| 5. Remediation & Follow-up | Track progress, verify fixes | Remediation tracking, policy updates |
Log Storage & Retention
π·οΈ Retention Policy90 days active, 1-7 years archive based on legal requirements
π Secure StorageEncryption at rest, access controls, immutable storage (WORM)
ποΈ Centralized CollectionSIEM, syslog server, cloud-native logging with NTP sync
π Backup & ArchivalRegular backups, off-site storage, integrity verification
Log Rotation & Management
SIEM & Log Monitoring
π Log NormalizationStandardize formats, timestamps, field names across sources
β οΈ Alerting & CorrelationRule-based alerts, behavioral analytics, threat intelligence
π Dashboards & ReportingReal-time visualization, compliance dashboards
π Incident Response IntegrationAutomated ticket creation, case management
# Example SIEM correlation rule
# Multiple failed logins followed by successful login
IF count(EventID 4625) > 5 FROM same_source_ip WITHIN 5 minutes
AND THEN EventID 4624 FROM same_source_ip WITHIN 1 minute
THEN ALERT "Possible brute force success" severity=HIGH
Compliance & Regulatory Alignment
π NIST SP 800-92Guide to Computer Security Log Management
π ISO/IEC 27001Sections A.12.4 (Logging) and A.12.4.3 (Admin logs)
π¦ PCI DSSRequirement 10: Track and monitor access
βοΈ HIPAAAudit controls, access logs, security incident monitoring
π GDPRLogging of personal data access, breach notification
π’ SOXIT control logging, change management audit trails
Implementation Checklist
Log Generation:
All systems configured for logging
Critical events identified per source
Time synchronization via NTP
Log Collection:
Centralized collection point (SIEM/syslog)
Secure transmission (TLS)
Real-time forwarding capability
Log Storage:
Write-once, append-only storage
Access controls and segregation
Integrity hashing and verification
Monitoring:
Alert rules defined and tested
Incident response integration
Continuous improvement process
Repository Structure
Guidelines-for-Auditing-and-Logging/
βββ cisg-2008-01-1.pdf # Original 2008 document
βββ guidelines/ # Updated guidelines (markdown)
βββ checklists/ # Implementation checklists
βββ templates/ # Audit plan templates
βββ examples/ # Sample log configurations
βββ README.md # Project overview
βββ cisg-2008-01-1.pdf # Original 2008 document
βββ guidelines/ # Updated guidelines (markdown)
βββ checklists/ # Implementation checklists
βββ templates/ # Audit plan templates
βββ examples/ # Sample log configurations
βββ README.md # Project overview
π This is an overview of the complete Guidelines for Auditing and Logging.
Access the Full Repository