Skip to main content
MuonPartners
Services
Architecture

Solution design and technology roadmapping

Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security

Security assessments, IAM, and compliance

AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform

Network architecture and cloud platforms

Network DesignCloud StrategyModernisation
Enterprise Architecture

Business-technology alignment

Business AlignmentPortfolio AnalysisGovernance
View all services
ProjectsCase StudiesInsightsToolsAbout
Contact Us

Services

Architecture
Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security
AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform
Network DesignCloud StrategyModernisation
Enterprise Architecture
Business AlignmentPortfolio AnalysisGovernance
ProjectsCase StudiesInsightsToolsAboutContact
Get in Touch
MuonPartners

Strategic technology consulting for Australian organisations navigating complexity.

Services

  • Architecture
  • Cyber Security
  • Network and Platform
  • Enterprise Architecture

Company

  • About
  • Products
  • Frameworks
  • Cross-Framework Mapping
  • Projects
  • Case Studies
  • Insights
  • Contact

Contact

  • [email protected]
  • Australia
  • LinkedIn

© 2026 Muon Partners. All rights reserved.

ABN 50 669 022 315 · A Muon Group company.

Privacy PolicyTerms of Service
  1. Frameworks
  2. >SP 800-53
  3. >Audit And Accountability
  4. >SP800-53-AU-5
SP800-53-AU-5Active

Response to Audit Logging Process Failures

Statement

Alert personnel or roles within time period in the event of an audit logging process failure; and Take the following additional actions: additional actions.

Location

Control Family
Audit and Accountability

Control Details

Identifier
SP800-53-AU-5
Family
AU

Organisation-Defined Parameters

au-05_odp.01
personnel or roles
au-05_odp.02
time period
au-05_odp.03
additional actions

Supplemental Guidance

Audit logging process failures include software and hardware errors, failures in audit log capturing mechanisms, and reaching or exceeding audit log storage capacity. Organization-defined actions include overwriting oldest audit records, shutting down the system, and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored), the system on which the audit logs reside, the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel.

Assessment Objective

personnel or roles are alerted in the event of an audit logging process failure within time period; additional actions are taken in the event of an audit logging process failure.

ATTACK
ATTACK-T1593.003relatedvia ctid-attack-to-sp800-53
ATTACK-T1649relatedvia ctid-attack-to-sp800-53
View in graphReport an issue
← Back to Audit and Accountability
Audit and Accountability69 controls
SP800-53-AU-1Policy and ProceduresSP800-53-AU-2Event LoggingSP800-53-AU-2(1)Compilation of Audit Records from Multiple SourcesSP800-53-AU-2(2)Selection of Audit Events by ComponentSP800-53-AU-2(3)Reviews and UpdatesSP800-53-AU-2(4)Privileged FunctionsSP800-53-AU-3Content of Audit RecordsSP800-53-AU-3(1)Additional Audit InformationSP800-53-AU-3(2)Centralized Management of Planned Audit Record ContentSP800-53-AU-3(3)Limit Personally Identifiable Information ElementsSP800-53-AU-4Audit Log Storage CapacitySP800-53-AU-4(1)Transfer to Alternate StorageSP800-53-AU-5Response to Audit Logging Process FailuresSP800-53-AU-5(1)Storage Capacity WarningSP800-53-AU-5(2)Real-time AlertsSP800-53-AU-5(3)Configurable Traffic Volume ThresholdsSP800-53-AU-5(4)Shutdown on FailureSP800-53-AU-5(5)Alternate Audit Logging CapabilitySP800-53-AU-6Audit Record Review, Analysis, and ReportingSP800-53-AU-6(1)Automated Process IntegrationSP800-53-AU-6(2)Automated Security AlertsSP800-53-AU-6(3)Correlate Audit Record RepositoriesSP800-53-AU-6(4)Central Review and AnalysisSP800-53-AU-6(5)Integrated Analysis of Audit RecordsSP800-53-AU-6(6)Correlation with Physical MonitoringSP800-53-AU-6(7)Permitted ActionsSP800-53-AU-6(8)Full Text Analysis of Privileged CommandsSP800-53-AU-6(9)Correlation with Information from Nontechnical SourcesSP800-53-AU-6(10)Audit Level AdjustmentSP800-53-AU-7Audit Record Reduction and Report GenerationSP800-53-AU-7(1)Automatic ProcessingSP800-53-AU-7(2)Automatic Sort and SearchSP800-53-AU-8Time StampsSP800-53-AU-8(1)Synchronization with Authoritative Time SourceSP800-53-AU-8(2)Secondary Authoritative Time SourceSP800-53-AU-9Protection of Audit InformationSP800-53-AU-9(1)Hardware Write-once MediaSP800-53-AU-9(2)Store on Separate Physical Systems or ComponentsSP800-53-AU-9(3)Cryptographic ProtectionSP800-53-AU-9(4)Access by Subset of Privileged UsersSP800-53-AU-9(5)Dual AuthorizationSP800-53-AU-9(6)Read-only AccessSP800-53-AU-9(7)Store on Component with Different Operating SystemSP800-53-AU-10Non-repudiationSP800-53-AU-10(1)Association of IdentitiesSP800-53-AU-10(2)Validate Binding of Information Producer IdentitySP800-53-AU-10(3)Chain of CustodySP800-53-AU-10(4)Validate Binding of Information Reviewer IdentitySP800-53-AU-10(5)Digital SignaturesSP800-53-AU-11Audit Record RetentionSP800-53-AU-11(1)Long-term Retrieval CapabilitySP800-53-AU-12Audit Record GenerationSP800-53-AU-12(1)System-wide and Time-correlated Audit TrailSP800-53-AU-12(2)Standardized FormatsSP800-53-AU-12(3)Changes by Authorized IndividualsSP800-53-AU-12(4)Query Parameter Audits of Personally Identifiable InformationSP800-53-AU-13Monitoring for Information DisclosureSP800-53-AU-13(1)Use of Automated ToolsSP800-53-AU-13(2)Review of Monitored SitesSP800-53-AU-13(3)Unauthorized Replication of InformationSP800-53-AU-14Session AuditSP800-53-AU-14(1)System Start-upSP800-53-AU-14(2)Capture and Record ContentSP800-53-AU-14(3)Remote Viewing and ListeningSP800-53-AU-15Alternate Audit Logging CapabilitySP800-53-AU-16Cross-organizational Audit LoggingSP800-53-AU-16(1)Identity PreservationSP800-53-AU-16(2)Sharing of Audit InformationSP800-53-AU-16(3)Disassociability