Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - AU.L2-3.3.8 – Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
Understanding the Requirement
This control (NIST SP 800-171 REV.2 / CMMC 2.0 Level 2) requires that an organization secure both the audit data (logs) and the tools that collect, store, and analyze those logs so that only authorized personnel can view, change, or remove them. Practically, that means preventing users from altering or deleting logs on endpoint systems, restricting access to centralized log repositories and SIEMs, ensuring integrity controls (so logs cannot be tampered with), and keeping recoverable backups so logs remain available even after system changes or incidents.
Technical Implementation
-
Centralize log collection: Configure all servers, workstations, network devices, and cloud services to forward logs in real time to a hardened syslog/SIEM server. Use authenticated, encrypted transport (TLS) and non-default ports where possible to reduce easy interception.
-
Remove local deletion capability: Revoke local admin privileges for standard users and use administrative tools (such as Windows LAPS or managed local accounts) to prevent users from stopping logging services or deleting local logs. Where local admin is required, enforce just-in-time elevation and audit those sessions.
-
Restrict access with RBAC and MFA: Apply role-based access controls to the syslog/SIEM and log storage. Only assign “log viewer” or “log admin” roles to specific personnel, require multi-factor authentication for access, and maintain an access approval workflow for new permissions.
-
Protect log integrity and retention: Store logs on append-only or write-once media where possible, enable immutability or WORM features on backups, and implement cryptographic integrity checks (hashes or signatures) so any modification is detectable. Define and enforce retention policies based on business and compliance needs.
-
Make backups and redundancy: Regularly back up centralized log stores to an off-site or logically separate location with access controls. Use immutable backups or cloud object storage with versioning and retention locks to prevent unauthorized deletion. Test restores periodically.
-
Monitor and alert on log-tool tampering: Create SIEM rules or scheduled scripts that detect disabled logging agents, sudden gaps in log volume, unexpected configuration changes to logging servers, or deletion attempts. Generate alerts to the security team and require documented supervision for any planned administrative maintenance that affects logging.
Example in a Small or Medium Business
Acme Tech, a 120-person SMB handling controlled technical information, centralized all system and device logs to a dedicated syslog server running in a hardened VM on a separate management VLAN. The IT manager removed local administrative rights from standard user accounts and implemented just-in-time access for elevated tasks, so ordinary employees cannot stop or delete logs. All log traffic is forwarded over TLS to the syslog server and ingested into a cloud-hosted SIEM with role-based access; only two staff in the security team and one external auditor have log-view permissions. The company enabled immutability on nightly backups of the syslog store for 90 days and kept an encrypted off-site copy for a year to meet retention needs. When system administrators perform maintenance that could affect logging, they schedule the work, request temporary elevated rights through the ticketing system, and are supervised by a security engineer who documents the session and its results. The SIEM has alerts for sudden drops in log volume and for any changes to logging-agent configurations, which helps Acme detect tampering quickly and restores logs from immutable backups when needed.
Summary
Protecting audit information and logging tools requires a mix of policy and technical controls: centralize and encrypt log collection, limit and control administrative access, enforce integrity and immutability on stored logs, maintain secure backups, and monitor for tampering. For SMBs these steps — combined with documented procedures for maintenance and access approvals — ensure logs remain accurate, available, and trustworthy for incident response, investigations, and compliance.
