GASP: AICF

Search controls

Search by control ID, name or domain

MON-006 Log Storage Capacity Management

Tier 2+

Description

Sufficient log storage capacity is provisioned to retain logs for the required retention period without loss. Capacity thresholds are monitored and alerting is configured to prevent log loss due to storage exhaustion. Logging pipeline failures are detected and alerted promptly.

Rationale

Log pipelines silently dropping events under load are a common gap. Capacity management and failure alerting ensure logging coverage is continuous and verifiable.

Framework Mappings (3)

CSA CCM v4.1
LOG-14Failures and Anomalies Reportingpartial
NIST SP 800-53 Rev 5
AU-4Audit Log Storage Capacityfull
AU-5Response to Audit Logging Process Failuresfull

Evidence (2)

configurationautomated

Log storage capacity monitoring configuration showing threshold-based alerts for storage utilisation and logging pipeline health.

Example: CloudWatch alarm or Datadog monitor configuration showing storage capacity alert thresholds for log buckets and logging pipeline error rate alerts, with notification routing visible

Test: Review storage capacity monitoring configuration for all log storage locations. Verify: (1) capacity utilisation alerts are configured at a threshold that allows time for remediation before exhaustion; (2) logging pipeline failure or ingestion rate drop alerts are configured; (3) alerts route to an active response channel; (4) review the last 90 days of alerts to confirm alerts fired before any storage-related log loss.

logautomated

Log storage capacity metric history showing storage utilisation trends and any pipeline failure events and their resolution.

Example: AWS CloudWatch or equivalent metrics export showing log bucket storage utilisation and log delivery failure rate over the past 90 days

Test: Query storage capacity and pipeline health metrics for the last 90 days. Verify: (1) storage utilisation has not reached or exceeded the defined alert threshold without triggering an alert; (2) any pipeline failure events have a corresponding incident or remediation record; (3) no log loss events have occurred without detection.

Questions (2)

boolean

Is sufficient log storage capacity provisioned to retain logs for the required retention period without loss, with capacity thresholds monitored and logging pipeline failures alerted promptly?

Silent log loss under storage pressure is a common gap. Capacity monitoring must alert early enough to allow remediation before any log loss occurs.

select

How are logging pipeline failures and log storage capacity issues detected and responded to?

Automated alerting on storage threshold breaches and pipeline failures, with a defined response SLA and documented runbookAutomated alerting configured but no defined response SLA or runbookPeriodic manual review of storage utilisation and pipeline statusNo monitoring of log pipeline health or storage capacity

Automated alerting with a defined response SLA and runbook is the expected standard. Any pipeline failure without an alert and response process represents a gap in logging integrity.