Control 2-12-3 of the Essential Cybersecurity Controls (ECC – 2 : 2024) requires organizations to collect, centralize, and retain security-relevant logs and integrate them with a Security Information and Event Management (SIEM) solution so that suspicious activity can be detected, investigated, and reported; this post gives practical, step-by-step guidance tailored to the Compliance Framework to implement a compliant, secure, and operational centralized logging + SIEM pipeline suitable for small businesses.
Understanding the Compliance Framework intent for Control 2-12-3
The Compliance Framework expects you to (1) identify which sources produce security-relevant logs, (2) centralize collection to prevent tampering and data loss, (3) ensure secure transport and integrity of logs, (4) retain logs for the timeframe required by policy, and (5) integrate logs with a SIEM that supports detection, alerting, and evidence generation. Practically, this means cataloging endpoints, servers, identity systems, cloud services, network devices, and security controls (firewalls, WAF, proxies), then sending those logs to a hardened collector and a monitored SIEM instance where retention, access, and integrity controls are enforced.
Designing a centralized logging architecture (practical details)
Start with a log-source inventory mapped to required fields (timestamp, host, username, event type, source IP, destination IP, process, outcome). For small businesses, an architecture often looks like: agents (Filebeat, Winlogbeat, NXLog, Auditbeat) → local log forwarder (rsyslog/syslog-ng or Beats) → secure transport (TCP+TLS) → central collector/log pipeline (Logstash, Fluentd) → SIEM (Elastic Stack, Splunk, QRadar, or cloud SIEM such as Azure Sentinel). Use secure ports: prefer syslog/TLS (RFC 5425) on 6514 or Beats to Logstash on 5044; Splunk HEC commonly uses 8088 with TLS. Ensure all hosts use NTP/chrony to keep timestamps consistent (critical for correlation and forensics).
Small-business example: 50-user company implementing ELK + cloud archive
Example implementation: deploy a small ELK cluster (2 data nodes, 1 master) in a private subnet; install Filebeat and Winlogbeat on endpoints and servers to ship logs to a Logstash endpoint over TLS (5044). Collect cloud logs (AWS CloudTrail, VPC Flow Logs, ALB logs) by forwarding CloudWatch Logs to a Kinesis Firehose that writes to an S3 bucket; configure a periodic job to index S3 objects into Elasticsearch or store cold archives. Define retention: hot indices stored for 90 days, warm for 1 year, and cold archive on S3 for 3 years using lifecycle policies and S3 Object Lock if immutability is required by the Compliance Framework. Use Elastic Common Schema (ECS) for normalization to simplify detection rules.
SIEM integration, detection tuning, and pragmatic alerting
Integrate normalized events into SIEM and create prioritized detection rules mapped to ECC control objectives (e.g., credential compromise, lateral movement, data exfiltration). Example rules: (a) more than 10 failed logins from a single IP across multiple user accounts within 5 minutes; (b) a successful admin login from a new geo-location followed by privileged activity within 10 minutes; (c) large outbound transfers from a server that doesn't normally send data offsite. Start with low-sensitivity rules to avoid alert fatigue, track false positives for 30 days, then tune threshold and context enrichment (asset classification, user risk score). Create alert workflows: SIEM alert → ticket in ITSM (e.g., Jira/ServiceNow) → assigned analyst → run automated triage playbook that collects relevant logs and snapshots.
Security, integrity, and retention: implementation specifics
TLS for in-transit protection, agent attestation, and access controls for the SIEM UI are essential. Configure mutual TLS between agents and collectors where possible and restrict collector endpoints with firewall rules and VPN/PrivateLink for cloud integrations. Encrypt logs at rest (e.g., EBS/EFS encryption, Elasticsearch encryption at rest). For log integrity and non-repudiation, enable write-once storage (S3 Object Lock or WORM-capable storage), keep cryptographic hashes (HMAC-SHA256) of log files stored separately, and record these hashes in an append-only ledger or secure vault to prove tamper-free preservation. Define retention in policy aligned to the Compliance Framework—common patterns: 90 days searchable, 1 year online, 3 years archived—and automate lifecycle transitions and deletion to demonstrate compliance to auditors.
Operationalizing compliance: monitoring, evidence, and incident response
Operational controls required by the Compliance Framework include health checks for log collectors (log volume metrics, forwarder heartbeat), automated alerts on collection failures, and periodic audit reports proving coverage. Maintain an evidence pack with (1) the log source inventory and mapping to control objectives, (2) sample collector configuration files (rsyslog/ntp/Filebeat configs), (3) retention and lifecycle policies, (4) documented detection rules and tuning history, and (5) incident playbooks and a run of a recent tabletop or real incident with timestamps showing log-assisted detection. For small businesses, schedule quarterly validation exercises: simulate failed log forwarding, rotate TLS certs, and run a mock incident to show that SIEM alerts trigger and ticketing works.
Risks of not implementing Control 2-12-3 correctly
Without centralized logging and SIEM integration you risk blind spots—failed detection of credential abuse, delayed or missed incident response, inability to perform accurate forensics, and inability to produce audit evidence for compliance assessments. Operationally this leads to longer dwell times for attackers, increased recovery costs, potential regulatory penalties for failing to retain or protect logs, and reputational damage. Technical impacts include fragmented logs across systems, inconsistent timestamps (if NTP is not enforced), and poor correlational detection due to missing normalization or enrichment.
Summary: to meet ECC Control 2-12-3 under the Compliance Framework, catalog and prioritize log sources, deploy secure agents and collectors, normalize and forward logs to a hardened SIEM, implement retention and integrity controls (TLS, encryption, WORM/archival), tune detection rules to reduce false positives, and operationalize evidence collection for audits. For small businesses, start lean with Beats + managed SIEM or a small ELK cluster, automate retention and health checks, and run periodic tests; these practical steps yield demonstrable compliance and greatly reduce detection and response risk.
