Skip to main content
NetStable
Level 2 AU.L2-3.3.4

Alert in the event of an audit logging process failure

What It Means Why It Matters How to Implement Evidence SSP Guidance Assessment Common Mistakes

📖 What This Means

This practice requires organizations to set up alerts that notify relevant personnel when the audit logging process fails. Audit logging is crucial for tracking and recording system activities, especially those involving sensitive data like Controlled Unclassified Information (CUI). If logging stops or fails, organizations lose visibility into potential security incidents, making it harder to detect and respond to threats. For example, if a server stops logging user access attempts due to a misconfiguration, unauthorized access could go unnoticed. Another scenario is a disk filling up, causing logs to stop being recorded, which could prevent the detection of malicious activities. This control ensures that such failures are immediately flagged so they can be addressed promptly.

🎯 Why It Matters

Audit logging is a critical component of cybersecurity, providing a record of events that can be used to detect, investigate, and respond to security incidents. If logging fails, organizations risk missing crucial evidence of unauthorized access, data breaches, or insider threats. For example, in the 2017 Equifax breach, delayed detection of unauthorized access allowed attackers to exfiltrate sensitive data over several weeks. A failure in audit logging could lead to similar outcomes, resulting in significant financial losses, reputational damage, and regulatory penalties. From a DoD/CMMC perspective, this control ensures accountability and visibility into systems handling CUI, which is essential for protecting national security interests.

How to Implement

  1. Enable logging services in your cloud environment (e.g., AWS CloudTrail, Azure Monitor, GCP Logging).
  2. Configure alerts for logging failures using cloud-native monitoring tools (e.g., AWS CloudWatch Alarms, Azure Alerts, GCP Alerting).
  3. Set up notifications to send alerts to designated personnel via email, SMS, or integration with incident management tools like PagerDuty.
  4. Regularly test logging and alerting mechanisms to ensure they are functioning correctly.
  5. Monitor log storage capacity and configure alerts for thresholds (e.g., 80% disk usage).
⏱️
Estimated Effort
Implementation typically takes 8-16 hours, depending on the complexity of the environment. Skill level required: Intermediate (IT administrators familiar with logging and monitoring tools).

📋 Evidence Examples

Alert configuration screenshots

Format: PNG/JPEG
Frequency: Upon initial setup and after any changes.
Contents: Screenshots showing configured alerts for audit logging failures.
Collection: Capture screenshots from monitoring tools.

Notification logs

Format: CSV/TXT
Frequency: Monthly.
Contents: Logs showing notifications sent for logging failures.
Collection: Export logs from notification tools.

Testing results

Format: PDF/DOCX
Frequency: Quarterly.
Contents: Documentation of tests verifying alerting mechanisms.
Collection: Record test results in a report.

Log storage capacity monitoring report

Format: PDF/DOCX
Frequency: Monthly.
Contents: Report showing log storage capacity and alerts triggered.
Collection: Generate report from monitoring tools.

Policy/procedure document

Format: PDF/DOCX
Frequency: Annually or as updated.
Contents: Document outlining procedures for responding to logging failures.
Collection: Create and maintain document.

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For AU.L2-3.3.4 ("Alert in the event of an audit logging process failure"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe your audit logging infrastructure, including which events are logged, the SIEM/log management platform, retention periods, log protection mechanisms, and review processes. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"AU.L2-3.3.4 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to alert in the event of an audit logging process failure. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"AU.L2-3.3.4 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to alert in the event of an audit logging process failure. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"AU.L2-3.3.4 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

  • Identify all systems generating audit logs within the CUI boundary
  • Document log flow from sources to centralized SIEM
  • Specify log storage locations and retention tiers
  • Ensure this control covers all systems within your defined CUI boundary where alert in the event of an audit logging process failure applies
  • Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

  • 📄 Audit and Accountability Policy
  • 📄 SIEM architecture documentation
  • 📄 Log retention configuration
  • 📄 Evidence artifacts specific to AU.L2-3.3.4
  • 📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will verify that required events are logged, check log completeness (all required fields present), test log protection mechanisms, and review evidence of regular log reviews.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Are audit logs enabled on all systems handling CUI?

✅ YES → Proceed to Q2.
❌ NO → GAP: Enable audit logging on all relevant systems. Timeline: 1 week.
Remediation:
Enable logging in system settings or via centralized logging tools.

Question 2: Are alerts configured for audit logging failures?

✅ YES → Proceed to Q3.
❌ NO → GAP: Configure alerts using monitoring tools. Timeline: 1 week.
Remediation:
Set up alerts in tools like AWS CloudWatch, Nagios, or Zabbix.

Question 3: Are notifications sent to designated personnel?

✅ YES → Proceed to Q4.
❌ NO → GAP: Configure notifications via email, SMS, or messaging platforms. Timeline: 3 days.
Remediation:
Integrate alerts with tools like PagerDuty or Slack.

Question 4: Are logging and alerting mechanisms tested regularly?

✅ YES → Proceed to Q5.
❌ NO → GAP: Schedule regular testing. Timeline: 1 month.
Remediation:
Document test results and address any issues.

Question 5: Is log storage capacity monitored and alerts configured?

✅ YES → Compliance confirmed.
❌ NO → GAP: Configure alerts for storage thresholds. Timeline: 1 week.
Remediation:
Set up alerts for disk usage thresholds (e.g., 80%).

⚠️ Common Mistakes (What Auditors Flag)

1. Not enabling audit logging on all systems.

Why this happens: Overlooking systems or assuming logging is enabled by default.
How to avoid: Perform a comprehensive inventory and verify logging settings.

2. Failing to test alerting mechanisms.

Why this happens: Assuming alerts will work without testing.
How to avoid: Regularly simulate logging failures to verify alerts.

3. Not monitoring log storage capacity.

Why this happens: Focusing only on log generation, not storage.
How to avoid: Set up alerts for disk usage thresholds.

4. Incomplete documentation of procedures.

Why this happens: Not maintaining updated policy documents.
How to avoid: Review and update procedures annually.

5. Using incorrect notification channels.

Why this happens: Not verifying that alerts reach the right personnel.
How to avoid: Test notifications and confirm receipt with recipients.

📚 Parent Policy

This practice is governed by the Audit and Accountability Policy

View AU Policy →

📚 Related Controls

AU.L2-3.1.1 - Ensure audit logs are generated AU.L2-3.3.1 - Protect audit information AU.L2-3.3.2 - Review audit logs regularly AU.L2-3.3.3 - Ensure audit record content meets requirements
Previous
AU.L2-3.3.3
Back to AU
Next
AU.L2-3.3.5