Audit logs streamed to SIEM
Demonstrate that security audit logs from in-scope systems are configured to stream continuously to the SIEM and that the SIEM is actively receiving, parsing, and storing these logs for analysis and retention.
Description
What this control does
This control ensures that security-relevant audit logs from critical systems, applications, and infrastructure are continuously forwarded in near real-time to a centralized Security Information and Event Management (SIEM) platform. Log streaming enables correlation, alerting, and retention independent of source systems, reducing the risk of evidence loss due to log rotation, system compromise, or capacity constraints. It supports timely detection of security incidents, compliance reporting, and forensic investigations by aggregating events across the enterprise into a queryable, tamper-resistant repository.
Control objective
What auditing this proves
Demonstrate that security audit logs from in-scope systems are configured to stream continuously to the SIEM and that the SIEM is actively receiving, parsing, and storing these logs for analysis and retention.
Associated risks
Risks this control addresses
- Delayed detection of security incidents due to lack of centralized log visibility and correlation across distributed systems
- Loss of forensic evidence when local logs are overwritten by rotation policies before security teams can analyze them during incident response
- Failure to detect lateral movement or multi-stage attacks that span multiple systems due to siloed, un-correlated log sources
- Inability to reconstruct attacker actions post-breach when compromised systems have logs deleted or tampered with by threat actors
- Compliance violations and failed audits when audit logs are not retained centrally for required periods or cannot be produced on demand
- Operational blind spots where critical security events occur on systems not forwarding logs, allowing unauthorized access or data exfiltration to go unnoticed
- Resource exhaustion and service disruption when local storage fills with logs that are not being offloaded to external systems
Testing procedure
How an auditor verifies this control
- Obtain and review the inventory of systems, applications, and infrastructure components designated as critical or in-scope for audit log streaming to the SIEM.
- Review SIEM architecture documentation and log source configuration policies to identify the required log types, formats, and streaming protocols (e.g., syslog, agent-based forwarding, API integration).
- Select a representative sample of in-scope systems spanning servers, network devices, databases, cloud services, and security tools across different environments.
- For each sampled system, inspect the local logging configuration to verify log forwarding is enabled, destination SIEM endpoints are correctly specified, and appropriate log severity levels are configured.
- Access the SIEM console and query for recent log events from each sampled system to confirm logs are actively being received and parsed without errors.
- Generate a test event on one or more sampled systems (e.g., failed authentication, configuration change) and verify the event appears in the SIEM within the expected latency window (typically under 5 minutes).
- Review SIEM ingestion dashboards or reports to identify any in-scope systems with missing, stale, or low log volume that may indicate streaming failures or misconfigurations.
- Examine SIEM alerting rules or monitoring workflows to confirm that log ingestion failures, connection drops, or parser errors trigger timely notifications to operations or security teams.
Where this control is tested