IG1 IG2 IG3

Ensure Adequate Audit Log Storage

Control Group: 8. Audit Log Management

Asset Type: Network

Security Function: Protect

Description

Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit log management process.

Implementation Checklist

1

Assess current protection controls in place

2

Configure and deploy required security controls

3

Test control effectiveness in non-production environment

4

Deploy to production and verify functionality

5

Document configuration and operational procedures

6

Enable logging on all in-scope systems

7

Configure log forwarding to centralized SIEM

8

Define log retention periods per policy

9

Establish log review schedule and procedures

10

Draft policy/procedure document

11

Obtain stakeholder review and approval

12

Communicate to affected personnel

13

Schedule periodic review and updates

Tool Recommendations

Splunk Enterprise Security Gartner MQ Leader, SIEM 2024

SIEM platform with log management, threat detection, investigation, and compliance reporting across enterprise data sources

Cisco (Splunk) · Ingest-based or workload-based

Microsoft Sentinel Gartner MQ Leader, SIEM 2024

Cloud-native SIEM and SOAR with AI-driven analytics, automated threat response, and native Azure/M365 integration

Microsoft · Pay-as-you-go (per GB ingested)

CrowdStrike Falcon LogScale Gartner MQ Leader, EPP 2024; Forrester Wave Leader, Security Analytics 2024

High-performance log management and observability platform designed for petabyte-scale data with real-time search

CrowdStrike · Per-GB subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Log Data Loss from Storage Exhaustion

Integrity

Critical audit log data is silently overwritten or discarded when logging destinations run out of storage, destroying evidence of ongoing attacks or compliance-required records during the exact periods when they are most needed.

Denial of Logging via Storage Flooding Attack

Availability

Attackers intentionally generate massive volumes of log entries to exhaust available storage, causing legitimate audit events to be dropped and creating a window of unmonitored activity for their actual malicious operations.

Vulnerabilities (When Safeguard Absent)

No Storage Capacity Monitoring for Log Destinations

Log storage volumes are not monitored for capacity, and no alerts fire when storage approaches capacity thresholds, resulting in silent log loss when disks fill up during high-activity periods or attacks.

Undersized Log Storage Without Retention Alignment

Log storage capacity is insufficient to retain logs for the period defined by the organization's retention policy, forcing either premature log deletion or logging failures that compromise both compliance and forensic capability.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Configuration screenshots or exports showing protection controls enabled	Captured quarterly
Document	Procedure documentation for protection measures	Reviewed annually
Technical	SIEM dashboard showing log sources and collection status	Captured monthly
Record	Log review records and findings	Per review cycle
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Audit Log Management Policy

Control 8

Log Retention Policy

Control 8

Related Safeguards in Control 8

8.1 Establish and Maintain an Audit Log Management Process

8.2 Collect Audit Logs

8.4 Standardize Time Synchronization

8.5 Collect Detailed Audit Logs

8.6 Collect DNS Query Audit Logs

8.7 Collect URL Request Audit Logs

8.8 Collect Command>Line Audit Logs

8.9 Centralize Audit Logs

8.10 Retain Audit Logs

8.11 Conduct Audit Log Reviews

8.12 Collect Service Provider Logs