CIS Control 8.2: Collect Audit Logs
Audit logs are the foundation of security monitoring and compliance investigations. CIS Control 8.2 requires your organization to systematically collect logs across all enterprise assets according to a defined audit log management process. Without comprehensive logging enabled, you lose visibility into security events, user activity, and potential breaches.
What this means
CIS Control 8.2 mandates that your organization establish and execute an audit log management process that dictates how, where, and what logs should be collected. This means enabling logging capabilities on all systems, applications, and network devices—then collecting those logs in a centralized location for monitoring, analysis, and retention. The control ensures you have the raw data needed to detect incidents, investigate security events, and prove compliance to auditors.
How to comply
- 1.Document your enterprise audit log management process, defining logging requirements by asset type and sensitivity level
- 2.Identify all enterprise assets (servers, workstations, network devices, applications, databases, cloud services)
- 3.Enable logging on each asset according to your documented process and compliance requirements
- 4.Verify logging is active by checking system logs, admin panels, and security monitoring tools
- 5.Configure log collection to send logs to a centralized repository (SIEM, log aggregation platform, or cloud service)
- 6.Establish a retention schedule and backup process for archived logs
- 7.Test and validate that logs are being collected and stored correctly across all assets
Evidence auditors look for
- Written audit log management policy detailing logging standards and requirements
- Inventory of all enterprise assets with logging enabled status
- Screenshots or reports showing logging enabled in system settings (Event Viewer, syslog, CloudTrail, etc.)
- SIEM dashboard or log aggregation platform showing logs from multiple sources
- Log retention and archival schedule documentation
- Audit trail reports from critical systems and applications
- Configuration files or screenshots proving centralized log collection is active
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically discovers all enterprise assets, identifies which ones lack logging enabled, and generates evidence reports showing your audit log collection status across the entire environment—eliminating manual inventory work and compliance verification delays.
See how GRCWatch handles this control automatically
Start free trial