MON-004 Centralised Log Management
Description
Log data from production systems, applications, cloud services, and network devices is aggregated into a centralised log management or SIEM platform. The platform provides search, correlation, and reporting capability. Log ingestion coverage and health is monitored.
Rationale
Siloed logs across dozens of services are operationally unmanageable. Centralisation enables correlation of events across systems and is a prerequisite for effective threat detection.
Framework Mappings (5)
| LOG-01 | Logging and Monitoring Policy and Procedures | full |
| LOG-03 | Security Monitoring and Alerting | partial |
| AU-6 | Audit Record Review, Analysis, and Reporting | partial |
| CA-7 | Continuous Monitoring | partial |
| CC7.1 | Detection and Monitoring Procedures | partial |
Evidence (2)
SIEM or centralised log management platform configuration showing log source ingestion coverage across production systems, cloud services, applications, and network devices.
Example: Splunk, Elastic SIEM, AWS Security Lake, or equivalent platform configuration showing connected data sources, ingestion status per source, and last event received timestamp for each source
Test: Review the SIEM or log management platform data source inventory. Verify: (1) all production systems, cloud services, applications, and network devices appear as configured log sources; (2) each source shows a recent last-event-received timestamp (within expected interval); (3) ingestion health monitoring is enabled; (4) cross-reference the source list against the asset inventory to identify any ungapped systems.
Log ingestion health monitoring output showing pipeline status, ingestion volumes, and any detected gaps or failures in log collection.
Example: SIEM ingestion health dashboard export or monitoring alert configuration showing log source status, ingestion rate per source, and any sources with missed data in the last 30 days
Test: Query the log ingestion health dashboard for the last 30 days. Verify: (1) ingestion volume metrics are collected per log source; (2) pipeline failures or sources with zero ingestion trigger an alert; (3) any detected gaps have a documented investigation record; (4) coverage percentage for in-scope sources meets the defined threshold.
Questions (2)
Is log data from all production systems, applications, cloud services, and network devices aggregated into a centralised log management or SIEM platform with search, correlation, and reporting capability?
Centralised collection is a prerequisite for effective threat detection. Siloed logs that cannot be correlated across systems leave blind spots in incident investigation.
Which SIEM or centralised log management platform is in use?
The specific platform is less important than coverage. Any production-grade platform is acceptable provided it ingests all in-scope log sources and has active monitoring.