SEC09-01 Implementing Standardized Log Management

Standardized log management must be implemented for logs of the identity, network, application, server, data, and O&M defense layers to monitor systems and user activities, enabling centralized log management and ensuring transparent and traceable security operations.

Risk level
High
Key strategies
- Track and monitor all access to network resources and key data. The system's activity recording mechanism and user activity tracking function can effectively reduce the threat of malicious activities to data. Common security logs include host security logs, OS logs, bastion host logs, IAM logs, WAF attack logs, CFW logs, VPC flow logs, and DNS logs. When an error or security event is reported for a system, you can trace, alert, and analyze the error or security event and quickly locate the cause of the threat.
- Ensure that the log retention duration meets requirements. HSS and cloud service logs transferred to LTS will be deleted automatically after the default log retention duration expires. So, you need to configure a log retention duration based on your service requirements. If you want to store logs for a longer period, you need to configure log transfer in LTS.
- Enable centralized security management and operations if you have many accounts in your organization. This helps collect logs, alarms, configurations, policies, and asset data across multiple cloud environments, accounts, and cloud service products. In doing this, your organization security operations and O&M efficiency can be improved, and accounts and resources can be managed centrally. Centralized log management enables centralized storage, analysis, modeling, threat analysis, orchestration, response, situation reporting, and security policy management.
Related cloud services and tools
- Log Tank Service (LTS): You can use LTS to collect logs for efficient, real-time decision-making analysis, device O&M management, and service trend analysis.
- Web Application Firewall (WAF)
- SecMaster