CIS Controls 8.5: Collect Detailed Audit Logs
Detailed audit logs are your forensic lifeline—they capture who accessed what, when, and from where across systems holding sensitive data. CIS Control 8.5 mandates comprehensive logging that transforms raw system events into investigative evidence. Without it, you're flying blind during incidents and failing compliance audits.
What this means
CIS 8.5 requires you to configure logging on enterprise assets that store, process, or transmit sensitive data. These logs must capture event source, date, username, timestamp, source IP addresses, destination IP addresses, and other contextual details useful for forensic analysis. The goal is creating an immutable audit trail that enables you to reconstruct user actions and system behavior during security investigations or compliance reviews.
How to comply
- 1.Identify all enterprise assets containing or accessing sensitive data (databases, file servers, applications, endpoints)
- 2.Configure logging at the OS, application, and network levels to capture detailed events
- 3.Ensure logs include event source, date, username, timestamp, source IP, destination IP, action performed, and outcome
- 4.Configure centralized log aggregation to collect logs from all sources into a single system of record
- 5.Set appropriate retention periods (typically 90 days minimum, longer for regulated industries)
- 6.Implement log integrity controls to prevent tampering or deletion
- 7.Document logging configuration and retention policies in your audit evidence repository
- 8.Review logs regularly for suspicious activity and correlate events across systems
Evidence auditors look for
- Screenshot of centralized logging configuration (Splunk, ELK, Azure Monitor, etc.) showing log sources
- Log sample output demonstrating all required fields captured (user, timestamp, source IP, action, result)
- Documentation of logging retention policy and justification for retention period
- Audit log showing access to sensitive data with user identity and timestamps
- Configuration screenshot of log aggregation tool with active data collection from servers
- Change log showing when logging was enabled and configured across enterprise assets
- Policy document detailing audit logging requirements and standards
- Alert configuration showing automated detection of log deletion or tampering attempts
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically integrates with your existing logging infrastructure to aggregate, normalize, and evidence audit logs across all systems, eliminating manual log collection and creating audit-ready proof of CIS 8.5 compliance in minutes.
See how GRCWatch handles this control automatically
Start free trial