Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - AU.L2-3.3.6 – Provide audit record reduction and report generation to support on-demand analysis and reporting.
Understanding the Requirement
This control requires your organization to take raw audit records (system and security logs) and turn them into reduced, focused datasets and on-demand reports that support rapid analysis. In practice you must be able to filter, normalize and present logs so analysts can quickly find security-relevant events, and generate reports or dashboards whenever needed. This is part of NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 and typically implemented with a SIEM or log-management capability that supports event reduction and report generation.
Technical Implementation
-
Choose a suitable SIEM or log-management solution (managed or self-hosted). For SMBs consider cloud/SaaS SIEM or lightweight open-source stacks (e.g., Elastic + Beats, Wazuh, or a managed service) to avoid heavy upfront infrastructure and staffing costs. Ensure it accepts inputs from your Syslog server and endpoint/agent feeds.
-
Define log sources and baselines. Inventory what systems produce logs (servers, firewalls, VPN, endpoints, cloud services). Prioritize security-relevant logs (authentication, privilege changes, firewall denies, process execution) so reduction focuses on meaningful events.
-
Implement log collection and normalization. Configure agents and your Syslog server to forward logs to the SIEM. Use parsers or normalization rules so events use consistent fields (timestamp, host, user, event_type, severity)—this enables reliable filtering and correlation.
-
Create reduction rules and filters. Build SIEM rules to filter out low-value noise (routine informational events) and tag or escalate events that match risk criteria (multiple failed logins, privilege escalations, unusual network connections). Use aggregation to collapse repetitive identical events into counts rather than streaming identical lines.
-
Design dashboards, saved searches and on-demand reports. Create dashboards for common analyst needs (authentication activity, firewall exceptions, endpoint alerts). Create parameterized report templates (by date, host, user) that can be run on-demand and exported in PDF/CSV for incident response or management reporting.
-
Automate alerts and validate workflows. Configure alerts for high-priority events (e.g., repeated failed logins, data exfiltration indicators) and ensure alerts generate tickets or notify the right staff. Regularly test report generation, drill-downs, and the accuracy of reduction rules; tune thresholds to reduce false positives.
Example in a Small or Medium Business
An SMB with 75 employees deploys a cloud SIEM service and forwards logs from its Syslog server, endpoints, cloud apps, and perimeter firewall. The IT manager catalogs log sources and works with the outsourced security provider to normalize fields so events are searchable across systems. They create reduction rules that filter out routine information-level events and consolidate repeated DHCP or keepalive messages into summarized counts. Dashboards are built showing failed logins, new administrative accounts, and unusual outbound connections, and a weekly executive report is templated to include these metrics. When a suspicious login pattern occurs, the on-call admin runs an on-demand report filtered to the user and host, then pivots to related events using the SIEM’s correlation and timeline features. Alerts are set to create a ticket in their helpdesk when a threshold is exceeded, ensuring timely follow-up. Over time they tune filters to reduce noise and keep dashboards relevant to incident detection.
Summary
Implementing AU.L2-3.3.6 means having a log pipeline that not only collects but reduces and presents audit records so analysts can quickly act. For SMBs this is best achieved by a practical SIEM/log-management choice, clear inventory and normalization of log sources, targeted reduction/filter rules, and reusable dashboards and report templates that can be run on-demand. Combine those technical measures with routine tuning, testing, and defined alert-to-response processes so your organization can detect and respond to incidents efficiently while meeting the control’s objective.
