AU-2—Event Logging
>Control Description
Identify the types of events that the system is capable of logging in support of the audit function: ⚙organization-defined event types that the system is capable of logging;
Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;
Specify the following event types for logging within the system: ⚙organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type;
Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and
Review and update the event types selected for logging ⚙organization-defined frequency.
>DoD Impact Level Requirements
FedRAMP Parameter Values
AU-2 (a) [successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes] AU-2 (c) [organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event]. AU-2 (e) [annually and whenever there is a change in the threat environment]
Additional Requirements and Guidance
AU-2 Requirement: Coordination between service provider and consumer shall be documented and accepted by the JAB/AO. AU-2 (e) Guidance: Annually or whenever changes in the threat environment are communicated to the service provider by the JAB/AO.
>Discussion
An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs.
Event types include password changes, failed logons or failed accesses related to systems, security or privacy attribute changes, administrative privilege usage, PIV credential usage, data action changes, query parameters, or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system.
To balance monitoring and auditing requirements with other system needs, event logging requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change.
Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the logging event is based on patterns or time of usage.
Event logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include AC-2(4), AC-3(10), AC-6(9), AC-17(1), CM-3f, CM-5(1), IA-3(3)(b), MA-4(1), MP-4(2), PE-3, PM-21, PT-7, RA-8, SC-7(9), SC-7(15), SI-3(8), SI-4(22), SI-7(8), and SI-10(1). Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.
Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. When defining event types, organizations consider the logging necessary to cover related event types, such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures.
>Programmatic Queries
Related Services
CLI Commands
aws cloudtrail describe-trailsaws cloudtrail get-trail-status --name TRAIL_NAMEaws logs describe-log-groupsaws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=ConsoleLogin>Related Controls
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What formal policies and procedures govern the implementation of AU-2 (Event Logging)?
- •Who are the designated roles responsible for implementing, maintaining, and monitoring AU-2?
- •How frequently is the AU-2 policy reviewed and updated, and what triggers policy changes?
- •What training or awareness programs ensure personnel understand their responsibilities related to AU-2?
Technical Implementation:
- •Describe the specific technical mechanisms or controls used to enforce AU-2 requirements.
- •What automated tools, systems, or technologies are deployed to implement AU-2?
- •How is AU-2 integrated into your system architecture and overall security posture?
- •What configuration settings, parameters, or technical specifications enforce AU-2 requirements?
Evidence & Documentation:
- •What documentation demonstrates the complete implementation of AU-2?
- •What audit logs, records, reports, or monitoring data validate AU-2 compliance?
- •Can you provide evidence of periodic reviews, assessments, or testing of AU-2 effectiveness?
- •What artifacts would you present during a FedRAMP assessment to demonstrate AU-2 compliance?
Ask AI
Configure your API key to use AI features.