U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.

Https

Secure websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to our website. Please do not share sensitive information with us.

Log Management

Overview

NIST is in the process of revising NIST Special Publication (SP) 800-92, Guide to Computer Security Log Management. Recent incidents have underscored how important it is for organizations to generate, safeguard, and retain logs of their system and network events, both to improve incident detection and to aid in incident response and recovery activities. Logs that are retained for an extended period of time may be the only record an organization has of what occurred during an incident to identify root cause.

The current version (September 2006) of SP 800-92 seeks to assist organizations in understanding the need for sound computer security log management. It defines important log management concepts and explores the challenges involved in log management at the enterprise level. It provides recommendations for planning log management, such as defining roles and responsibilities and creating feasible logging policies.

The publication presents log management technologies at a high level, and it is not a guide to implementing or using log management technologies.

NIST Plans

The revised SP 800-92 will focus on log management principles, processes, procedures, and planning for organizations. It will contain updated information and recommendations, particularly to help organizations prepare to detect, respond to, and recover from cybersecurity incidents in a mix of on-premises and cloud-based environments. Examples of what the recommendations will include are:

  • Scope of log information: which types of logs or log information should be generated and retained
  • Log retention: how long logs and other relevant data should be retained
  • Log protection: what technical methods should be used to protect the integrity, provenance, and confidentiality of logs
  • Log management practices: what log management practices organizations should follow (for example, centralizing logs and integrating them with their SOC)
  • Information sharing: how log information sharing with external incident response organizations and law enforcement should be safeguarded

The SP 800-92 revisions will be informed by the August 2021 OMB Memorandum M-21-31, "Improving the Federal Government's Investigative and Remediation Capabilities Related to Cybersecurity Incidents," which addresses requirements in Section 8 of Executive Order (EO) 14028.

Contact Us

Your comments and suggestions for the Log Management project are always welcome. Contact us at log-mgmt@nist.gov.


Contacts

Log Management
log-mgmt@nist.gov

Topics

Security and Privacy: audit & accountability

Applications: enterprise

Laws and Regulations: Executive Order 14028

Related Projects

National Checklist Program

Created April 28, 2021, Updated September 03, 2021