Requirement text: AU.3.048: Collect audit information (e.g., logs) into one or more central repositories.
DISCUSSION FROM SOURCE: CMMC
Aggregate and store audit logs in a central location. Central repositories enable analysis by
storing audit record content needed for analysis in a common location and format. Storing
audit logs in central repositories also protects audit information. The repository has the
available infrastructure, capacity, and protection mechanisms to meet the organization’s
audit requirements. Policy and local laws may place requirements on the location and
structure of the repositories.
CMMC CLARIFICATION
Aggregate and store audit logs in a centralized location or locations within the organization.
Storing audit logs in a centralized location supports orchestration, automation, correlation,
and analysis activities by enabling a full picture of the audit logs, and can support automated
analysis capabilities including correlation of events across the enterprise. Ensure that the
central repository has the appropriate infrastructure, including protection mechanisms, and
the capacity level to meet the logging requirements of the organization.
Example
You are in charge of IT operations in your organization. Your responsibilities include
reviewing audit logs. You consolidate all audit logs in a common format and into a
centralized logging infrastructure that may consist of one or more servers. By doing this,
you enable centralized analysis of your audit logs. This increases situational awareness
across your network. In addition, you are able to better protect your audit logs by storing
them in one centralized location.
References
• CMMC
• CIS Controls v7.1 6.5
• CERT RMM v1.2 COMP:SG3.SP1
• NIST SP 800-53 Rev 4 AU-6(4)