Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - AU.L2-3.3.1 – Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
Understanding the Requirement
This control requires that your organization identify which system and security events must be logged, generate those audit records reliably, define the required content of each record, and retain the logs long enough to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized activity. The objectives include specifying event types to capture, defining record content, ensuring records are created and contain the defined content, and establishing and following retention requirements. For SMBs following NIST SP 800-171 REV.2 / CMMC 2.0 Level 2, this means having both policy and technical controls in place so logs are useful, available, and protected when you need to investigate an incident.
Technical Implementation
- Define what to log and why — Create a written inventory of event types to capture (authentication successes/failures, privilege changes, logon/logoff, account creation/deletion, access to sensitive files or CUI, system/service crashes, configuration changes, remote access sessions). Map each event type to an investigation use case so you can justify log volume vs. usefulness.
- Specify required audit record fields — Standardize log content: timestamp (ISO 8601, UTC), user or account identifier, source IP/hostname, destination/target object, process or application name, action taken, success/failure status, and a unique event ID. Ensure applications and systems record these fields or add contextual enrichment in your log pipeline.
- Centralize collection and normalize logs — Forward logs to a central logging system (cloud SIEM, hosted log collector, or on-premises syslog server). Normalize formats (CEF, JSON) to make search, correlation, and forensic analysis practical. For Windows, enable Advanced Audit Policy and forward to a central collector; for Linux, configure auditd and rsyslog/syslog-ng.
- Protect log integrity and access — Restrict who can configure, delete, or read logs using role-based access controls. Implement write-only or append-only storage where feasible, and use checksums or hashing to detect tampering. Keep a separate backup or replica of critical logs off the primary network to survive targeted attacks.
- Define and implement retention and disposal — Create a retention policy that specifies retention periods by log type (e.g., authentication logs: 1 year; system change logs: 2 years) and the secure disposal process. Configure automated rotation and archival to meet retention while controlling storage costs; document legal or contractual retention requirements for CUI.
- Operationalize monitoring and review — Implement alerting for high-risk events (multiple failed logins, privilege escalations, abnormal data access) and schedule regular log reviews and audits. Assign roles for who reviews alerts, investigates incidents, and approves retention changes; keep an audit trail of those reviews.
Example in a Small or Medium Business
Alice is the IT manager at a 75-employee engineering firm that handles Controlled Unclassified Information (CUI). She starts by drafting a short audit logging policy that lists event types to capture and defines a 12-month retention baseline for authentication and access logs and 24 months for system change records. She uses DISA STIG recommendations as a checklist to enable relevant Windows 10 audit settings on all workstations and configures Linux servers to send auditd output to a central syslog collector hosted on an isolated virtual machine. Logs are normalized into JSON and stored in a cloud-hosted SIEM with role-based access; the SIEM enforces append-only storage and maintains a compressed backup in a separate account for additional protection. Alice creates alert rules for repeated failed logins, new admin account creation, and large file exports, and assigns two engineers to monitor alerts and triage incidents. When a suspicious remote access event occurs, the centralized logs give timestamps, originating IPs, user IDs, and the commands executed—enabling a fast containment and a documented investigation that references the retained logs.
Summary
Meeting AU.L2-3.3.1 requires both policy-level decisions (what to log, how long to keep it, who reviews it) and technical controls (system configuration, centralized collection, integrity protection, and automated retention). For SMBs, implementing standardized log content, centralizing logs, protecting access and integrity, and operationalizing monitoring and retention gives you the ability to detect, investigate, and report unauthorized activity while keeping costs and operational complexity manageable.
