What are audit logging requirements and why are they important?

Answer

Audit logging requirements enable security incident detection, forensic investigation, malicious activity deterrence, and compliance evidence demonstration.

ITSP.10.171 Audit and Accountability Requirements

The Audit and Accountability family in ITSP.10.171 includes multiple detailed requirements that organizations must implement to maintain comprehensive logging capabilities.

• Determine event types selected for logging within the system and review and update this selection at defined frequency
• Generate audit records for selected event types that include date and time of events, identity of individuals/subjects/objects/entities involved, source of events, and outcome of events
• Retain audit records for time periods consistent with records retention policies
• Alert personnel or roles within defined time periods in the event of audit logging process failures and take additional defined actions
• Review and analyze system audit records at defined frequency for indications and potential impact of inappropriate or unusual activity and report findings to designated personnel or roles
• Implement audit record reduction and report generation capabilities that support review, analysis, and after-the-fact investigations
• Use internal system clocks to generate time stamps for audit records that meet defined granularity using Coordinated Universal Time (UTC) or local time with fixed offset
• Protect audit information and audit logging tools from unauthorized access, modification, and deletion, and authorize access to management of audit logging functionality to only a subset of privileged users or roles

Why Audit Logging Matters

Comprehensive audit logging serves multiple critical security functions.

• Incident detection uses log analysis to identify suspicious patterns, anomalous activities, or indicators of compromise that signal potential security incidents requiring investigation and response
• Forensic investigation relies on historical log data to reconstruct events after incidents, determine what happened, how adversaries gained access, what actions they took, what information was accessed or exfiltrated, and what remediation is needed
• Deterrence occurs when users know their actions are logged and can be reviewed, discouraging malicious insiders or careless behavior
• Accountability enables attribution of actions to specific individuals, creating responsibility and enabling consequences for policy violations
• Compliance demonstration through logs provides evidence to auditors and assessors that security controls are implemented and effective
• Troubleshooting uses logs to diagnose operational issues, performance problems, and system errors

Without comprehensive logging, organizations operate blind. Incidents may occur undetected, forensic investigation after breaches is impossible, and proving compliance becomes difficult.

What Should Be Logged

Organizations should log security-relevant events comprehensively.

• Authentication events including successful and failed logons, logoffs, account lockouts, password changes, and authentication mechanism changes provide visibility into access patterns and potential credential compromise
• Access to specified information including file opens, modifications, deletions, and permission changes enables tracking who accessed what sensitive data when
• Privileged actions by administrative users including configuration changes, security setting modifications, user account changes, and policy updates require heightened logging given their potential impact
• Security event detections from firewalls, intrusion detection systems, antivirus, and other security tools alert on threats and attacks
• System events like system startups and shutdowns, service starts and stops, application errors, and system errors may indicate issues
• Network connections including successful and blocked connection attempts, data transfers, and VPN connections provide network activity visibility
• Data exports or large file transfers may indicate exfiltration attempts

The specific events to log depend on organizational risk assessment, but comprehensive logging across these categories enables effective monitoring and investigation.

Centralized Log Management

Collecting logs from individual systems is insufficient for effective analysis. Logs must be aggregated centrally.

Security Information and Event Management (SIEM) systems collect logs from throughout the environment, normalize log formats from diverse sources for correlation, provide real-time analysis and alerting on suspicious patterns, enable searching and investigation across all log sources, and generate reports and dashboards for compliance and management visibility. Log aggregation platforms like Splunk, Elastic Stack, or open-source alternatives provide similar capabilities.

Centralized logging serves multiple purposes including correlation of events across systems (detecting attacks that span multiple systems), preventing log tampering since attackers cannot easily delete logs from the central repository, surviving system failures since logs are preserved even if source systems fail or are destroyed, enabling efficient analysis by providing single interface for investigating across all systems, and satisfying compliance requirements for log retention and protection.

For CPCSC Level 2, centralized log management is effectively mandatory given the requirements for log analysis, correlation, and protection.

Log Retention Requirements

ITSP.10.171 requires retaining audit records for time periods consistent with records retention policies, leaving specific periods to organizational determination. However, multiple considerations drive retention periods.

• Incident investigation benefits from long retention since breaches often are not discovered immediately. The longer retention, the more historical visibility for forensic analysis
• Regulatory and legal requirements may specify minimum retention periods (for example, privacy laws require retaining information used for administrative decisions for at least two years)
• Contractual obligations may specify log retention periods for contracts involving specified information
• Best practices in the security community generally recommend at least 90 days of immediately accessible logs with longer-term archival storage for 1-2 years or more

Longer retention provides greater security value but increases storage costs. Organizations should formally define and document their retention policies, considering these factors and their specific risk profile and contractual obligations.

Protecting Log Integrity

Audit logs are valuable security evidence and attractive targets for adversaries seeking to hide their tracks. Protection measures include access controls limiting who can view, modify, or delete logs to only designated security and audit personnel.

• Write-once storage or immutable logging prevents modification of logs once written
• Cryptographic integrity checking detects any tampering attempts by validating digital signatures or hashes
• Physical and logical separation stores logs on separate systems from the systems being logged, making it harder for attackers who compromise one system to reach its logs
• Encryption protects sensitive information in logs during storage and transmission
• Automated alerting notifies security teams of attempts to access, modify, or delete logs

These protections ensure logs remain reliable evidence that has not been tampered with by adversaries or malicious insiders.

Log Analysis and Monitoring

Collecting logs is insufficient. They must be actively analyzed.

• Real-time monitoring uses SIEM correlation rules to detect suspicious patterns and alert security teams immediately for high-priority threats
• Periodic review involves security analysts regularly examining logs for anomalies, trends, or indicators that automated rules might miss
• Threat hunting proactively searches logs for indicators of compromise or suspicious activities that have not triggered alerts, assuming breach and looking for evidence of advanced persistent threats
• Incident investigation uses detailed log analysis to reconstruct incident timelines, determine scope, and guide response efforts
• Compliance reporting generates regular reports demonstrating logging coverage, retention compliance, and incident detection for management and auditors
• Trend analysis over time identifies patterns, baselines normal activity, and detects gradual changes that might indicate emerging threats

The frequency and depth of analysis should be proportional to risk, with systems handling specified information receiving more intensive monitoring than lower-risk systems.

Common Logging Challenges

Organizations face several practical challenges implementing comprehensive logging.

• Log volume can be overwhelming, with large environments generating terabytes of log data daily, requiring significant storage, processing capacity, and efficient analysis tools
• Alert fatigue occurs when poorly tuned monitoring generates excessive false positive alerts, causing analysts to ignore them and miss real threats. Tuning and refinement are essential ongoing activities
• Performance impact from verbose logging can affect system and network performance, requiring careful balancing of logging detail against operational impact
• Incomplete coverage happens when some systems, applications, or security tools are not integrated into centralized logging, creating blind spots
• Insufficient expertise means many organizations lack security analysts skilled in log analysis and threat detection, potentially requiring managed security service providers

Addressing these challenges requires strategic investment in logging infrastructure, ongoing tuning and optimization, comprehensive coverage planning, and whether through internal hiring or external services, adequate analyst expertise.

Cloud and Hybrid Environment Logging

As contractors use cloud services, logging must extend beyond on-premise environments.

• Cloud provider native logging services (AWS CloudTrail, Azure Monitor, Google Cloud Logging) capture activity within cloud environments
• API integration sends cloud logs to on-premise SIEM or hybrid logging platforms for centralized analysis alongside on-premise logs
• Cloud Access Security Broker (CASB) solutions provide visibility into cloud service usage and data protection
• Unified logging strategies treat on-premise and cloud environments cohesively rather than as separate domains
• Data location and sovereignty considerations may require that logs containing specified information remain in Canada or under Canadian control, influencing choice of logging infrastructure

Organizations must architect logging to provide comprehensive visibility across hybrid environments without creating gaps between on-premise and cloud systems.

Logging for Compliance Demonstration

During CPCSC Level 2 assessments, assessors will examine logging implementations thoroughly. They will expect documentation defining what events are logged and why, evidence that comprehensive logging is actually implemented across systems handling specified information, log retention configurations matching documented policies, log protection measures preventing unauthorized access or tampering, evidence of regular log review and analysis, and examples of how logs have been used to detect or investigate incidents.

Organizations that can demonstrate mature logging programs with comprehensive coverage, centralized management, active analysis, and documented processes will pass this assessment component confidently, while those with ad-hoc or incomplete logging face significant deficiencies.

Return on Investment

While comprehensive logging requires infrastructure investment and ongoing operational effort, it delivers measurable value.

• Faster incident detection enabled by real-time log monitoring limits damage by reducing dwell time before incidents are discovered and contained
• Effective forensics following breaches relies on log data to understand what happened, supporting better remediation and preventing recurrence
• Compliance efficiency allows using log data to demonstrate control effectiveness during audits and assessments
• Operational troubleshooting benefits from log data beyond just security uses, helping IT teams diagnose system issues
• Insurance benefits may result as cyber insurance carriers increasingly require logging and monitoring capabilities for coverage

When viewed as security and operational enabler rather than just compliance overhead, logging represents sound business investment.

Learn More

Additional resources are available from the Canadian Centre for Cyber Security.

• Protecting Specified Information (ITSP.10.171)
• Network Security Logging and Monitoring (ITSAP.80.085)