Logging requirements are established and maintained for IT and OT assets that are important to the delivery of the function and assets within the function that may be leveraged to achieve a threat objective

Define logging requirements for all important IT and OT assets. For example, capturing failed login attempts can point to confidentiality issues, unauthorized changes can indicate integrity issues, and log entries on system down time can reveal availability issues. Requirements for logging may differ for different assets, such as operations technology, field devices, mobile devices, and assets that reside in the cloud. For virtual networks, additional tools or processes may be necessary to enable logging of virtual network traffic. Logs from the cloud, including both cloud infrastructure and cloud assets, should be defined by the organization in the logging requirements as applicable. In addition to the types of events to be logged, organizations should consider what logging requirements may be appropriate such as how logs are to be protected, chain of custody considerations, or retention timelines. Example events that may be logged:

1. Operating system and application administration events · account creation and deletion · account privilege assignment · configuration changes or software installation
2. Operating system and application usage events · start up, shut down, and failure of services and applications · network connections and failures · successful and unsuccessful log on attempts · application failures · email and web traffic · systems and files accessed by users
3. Events occurring on network devices such as · firewalls · switches · routers · wireless access points
4. Events occurring on OT devices such as · human machine interfaces (HMIs) and operator workstations · protection relays · programmable logic controllers (PLCs) and remote terminal units (RTUs) · smart meters

Related Practices · Input From: Implementing ASSET-1a and ASSET-1b provides input that may be useful for implementing this practice. · Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: SITUATION-1a, SITUATION-1b, SITUATION-1c, SITUATION-1d, SITUATION-1f.