Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-12-2 – The cybersecurity requirements for event logs and monitoring management must be implemented.
Understanding the Requirement
This control requires that organizations implement a consistent, auditable program for activating, collecting, retaining and continuously monitoring cybersecurity event logs across their critical information assets. Using your asset register and risk register to define scope, you must enable logging for critical systems and privileged accounts, choose technologies and processes to collect and review those logs, designate a monitoring team (internal or outsourced), and retain logs for at least 12 months — including contractual guarantees when the SOC is provided by a third party. This post follows the Essential Cybersecurity Controls (ECC – 2 : 2024) guidance to keep the advice aligned with the framework’s intent.
Technical Implementation
- Scope and inventory: Start by mapping critical assets (servers, domain controllers, firewall, cloud workloads, VPN gateways, business apps) from your asset register and risk register. Document which assets require logging and what events you need (authentication successes/failures, privilege changes, remote access, configuration changes, application errors).
- Enable and standardize logging: Turn on built-in logs: Windows Event Logging (security, system, application), syslog on network devices, cloud audit logs (AWS CloudTrail, Azure Activity Log, GCP Audit), and application logs. Standardize log formats and timestamps (use UTC) and enable secure transport (TLS) where possible.
- Centralize collection: Deploy a central log collector or lightweight SIEM (commercial or open-source like Wazuh/Elastic, Splunk Light, or cloud-native logging) to receive logs via agents or syslog. Ensure logs are ingested reliably and configure parsing/indexing rules for key event types so you can search and alert quickly.
- Monitoring roles and workflows: Define who monitors logs and how (internal analyst, part-time IT owner, or managed SOC). Create alert rules for high-risk events (privileged account changes, repeated auth failures, remote access from unusual geolocations) and document triage/playbooks that assign response steps and escalation paths.
- Retention and integrity: Set a retention policy of at least 12 months and implement secure storage (WORM or access-controlled cloud buckets). Protect log integrity with access controls and hashing where feasible. If logs are processed by a third-party SOC, include the 12-month retention and integrity requirements in the contract and verify compliance periodically.
- Test, tune and review: Regularly test log generation (simulate events), validate collection and alerting, and tune alert thresholds to reduce noise. Schedule quarterly reviews of logging coverage against the asset register and perform annual audits to confirm retention, access controls, and contractual SLAs.
Example in a Small or Medium Business
A 60-employee managed services company uses a mix of cloud-hosted servers and on-premises network equipment. They started by updating their asset register to mark the file server, Active Directory, VPN concentrator and public web app as critical. The IT manager enabled Windows security auditing on domain controllers, configured syslog on the edge firewall, and turned on CloudTrail for their AWS accounts. They deployed a low-cost cloud SIEM service that collects logs via agents from servers and syslog from network devices. The company defined simple alert rules for repeated failed logins, new privileged account creations, and remote access outside normal business hours; the IT manager receives high-priority alerts and a part-time external MSSP reviews lower-priority events. Log retention was set to 12 months in an encrypted cloud bucket; this retention and searching capability were written into the MSSP contract with monthly compliance checks. Every quarter they test log generation by simulating a failed login and review alerts together with the MSSP to adjust thresholds and improve coverage.
Summary
By combining clear policies (scope, retention, contractual requirements) with practical technical steps (enable logs on critical assets, centralize collection, secure storage, and defined monitoring/response roles), SMBs can meet the control’s requirement for event logs and monitoring management. Regular testing, tuning, and contractual oversight of service providers ensure logs remain reliable and available for detection, investigation, and compliance for the required 12‑month period.
