STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← AU-3 — Content of Audit Records

CCI-000133

Definition

Ensure that audit records containing information that establishes the source of the event.

Parent Control

AU-3Content of Audit RecordsAudit and Accountability

Linked STIG Checks (191)

V-237033CAT IIIThe A10 Networks ADC, when used to load balance web applications, must enable external logging for accessing Web Application Firewall data event messages.A10 Networks ADC ALG Security Technical Implementation Guide V-255591CAT IIIThe A10 Networks ADC must produce audit log records containing information (FQDN, unique hostname, management or loopback IP address) to establish the source of events.A10 Networks ADC NDM Security Technical Implementation Guide V-204649CAT IIAAA Services configuration audit records must identify the source of the events.AAA Services Security Requirements Guide V-279034CAT IIIColdFusion must produce log records containing information to establish what type of events occurred.Adobe ColdFusion Security Technical Implementation Guide V-274017CAT IIAmazon Linux 2023 must have the audit package installed.Amazon Linux 2023 Security Technical Implementation Guide V-274018CAT IIAmazon Linux 2023 must produce audit records containing information to establish what type of events occurred.Amazon Linux 2023 Security Technical Implementation Guide V-268090CAT IIThe NixOS audit package must be installed.Anduril NixOS Security Technical Implementation Guide V-214232CAT IIThe Apache web server must generate, at a minimum, log records for system startup and shutdown, system access, and system authentication events.Apache Server 2.4 UNIX Server Security Technical Implementation Guide V-214233CAT IIAn Apache web server, behind a load balancer or proxy server, must produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.Apache Server 2.4 UNIX Server Security Technical Implementation Guide V-214311CAT IIThe Apache web server must produce log records containing sufficient information to establish what type of events occurred.Apache Server 2.4 Windows Server Security Technical Implementation Guide V-214312CAT IIAn Apache web server, behind a load balancer or proxy server, must produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.Apache Server 2.4 Windows Server Security Technical Implementation Guide V-222930CAT IIAccessLogValve must be configured for each application context.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-252464CAT IIThe macOS system must initiate session audits at system startup, using internal clocks with time stamps for audit records that meet a minimum granularity of one second and can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT), in order to generate audit records containing information to establish what type of events occurred, the identity of any individual or process associated with the event, including individual identities of group account users, establish where the events occurred, source of the event, and outcome of the events including all account enabling actions, full-text recording of privileged commands, and information about the use of encryption for access wireless access to and from the system.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-257170CAT IIThe macOS system must produce audit records containing information to establish when, where, what type, the source, and the outcome for all DOD-defined auditable events and actions.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-268454CAT IIThe macOS system must enable security auditing.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-277062CAT IIThe macOS system must enable security auditing.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-204931CAT IIThe ALG must produce audit records containing information to establish the source of the events.Application Layer Gateway Security Requirements Guide V-274537CAT IIAll defined API elements must be documented.Application Programming Interface (API) Security Requirements Guide V-222475CAT IIWhen using centralized logging; the application must include a unique identifier in order to distinguish itself from other application logs.Application Security and Development Security Technical Implementation Guide V-204724CAT IIThe application server must produce log records containing sufficient information to establish the sources of the events.Application Server Security Requirements Guide V-237323CAT IThe ArcGIS Server must provide audit record generation capability for DoD-defined auditable events within all application components.ArcGIS for Server 10.3 Security Technical Implementation Guide V-255962CAT IIThe Arista network device must be configured to capture all DOD auditable events.Arista MLS EOS 4.X NDM Security Technical Implementation Guide V-256008CAT IIThe Arista router must be configured to produce audit records containing information to establish where the events occurred.Arista MLS EOS 4.X Router Security Technical Implementation Guide V-272371CAT IIA BIND 9.x server implementation must be configured to allow DNS administrators to audit all DNS server components based on selectable event criteria and produce audit records within all DNS server components that contain information for failed security verification tests, information to establish the outcome and source of the events, any information necessary to determine cause of failure, and any information necessary to return to operations with least disruption to mission processes.BIND 9.x Security Technical Implementation Guide V-237353CAT IIThe CA API Gateway must produce audit records containing information to establish the source of the events.CA API Gateway ALG Security Technical Implementation Guide V-219225CAT IIThe Ubuntu operating system must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DoD-defined auditable events and actions in near real time.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-238298CAT IIThe Ubuntu operating system must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DoD-defined auditable events and actions in near real time.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260590CAT IIUbuntu 22.04 LTS must have the "auditd" package installed.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-260591CAT IIUbuntu 22.04 LTS must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DOD-defined auditable events and actions in near real time.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270656CAT IIUbuntu 24.04 LTS must have the "auditd" package installed.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-270657CAT IIUbuntu 24.04 LTS must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DOD-defined auditable events and actions in near real time.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-221911CAT IIIThe Central Log Server must produce audit records containing information to establish the source of the events.Central Log Server Security Requirements Guide V-271939CAT IIThe Cisco ACI must automatically audit account creation.Cisco ACI NDM Security Technical Implementation Guide V-239876CAT IIThe Cisco ASA must be configured to produce audit records containing information to establish the source of the event.Cisco ASA IPS Security Technical Implementation Guide V-239908CAT IIThe Cisco ASA must be configured to produce audit log records containing information to establish the source of events.Cisco ASA NDM Security Technical Implementation Guide V-239973CAT IIIThe Cisco ASA remote access VPN server must be configured to generate log records containing information to establish the source of the events.Cisco ASA VPN Security Technical Implementation Guide V-216570CAT IIThe Cisco router must be configured to produce audit records containing information to establish the source of the events.Cisco IOS Router RTR Security Technical Implementation Guide V-220438CAT IIThe Cisco switch must be configured to produce audit records containing information to establish the source of the events.Cisco IOS Switch RTR Security Technical Implementation Guide V-216660CAT IIThe Cisco router must be configured to produce audit records containing information to establish the source of the events.Cisco IOS XE Router RTR Security Technical Implementation Guide V-221005CAT IIThe Cisco switch must be configured to produce audit records containing information to establish the source of the events.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-216751CAT IIThe Cisco router must be configured to produce audit records containing information to establish the source of the events.Cisco IOS XR Router RTR Security Technical Implementation Guide V-269469CAT IIThe audit package must be installed on AlmaLinux OS 9.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-233045CAT IIAll audit records must identify the source of the event within the container platform.Container Platform Security Requirements Guide V-233591CAT IIPostgreSQL must produce audit records containing sufficient information to establish the sources (origins) of the events.Crunchy Data PostgreSQL Security Technical Implementation Guide V-261869CAT IIPostgreSQL must produce audit records containing sufficient information to establish the sources (origins) of the events.Crunchy Data Postgres 16 Security Technical Implementation Guide V-255542CAT IIIThe DBN-6300 must produce audit log records containing information to establish the source of events.DBN-6300 NDM Security Technical Implementation Guide V-206531CAT IIThe DBMS must produce audit records containing sufficient information to establish the sources (origins) of the events.Database Security Requirements Guide V-269774CAT IIThe Dell OS10 Switch must initiate session auditing upon startup.Dell OS10 Switch NDM Security Technical Implementation Guide V-235778CAT IIThe audit log configuration level must be set to request in the Universal Control Plane (UCP) component of Docker Enterprise.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-235779CAT IIThe host operating systems auditing policies for the Docker Engine - Enterprise component of Docker Enterprise must be set.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-205164CAT IIThe DNS server implementation must produce audit records containing information to establish the source of the events.Domain Name System (DNS) Security Requirements Guide V-213573CAT IIThe EDB Postgres Advanced Server must produce audit records containing sufficient information to establish the sources (origins) of the events.EDB Postgres Advanced Server v9.6 Security Technical Implementation Guide V-259958CAT IIThe Enterprise Voice, Video, and Messaging Endpoint must be configured to produce session (call detail) records containing the source of the connection.Enterprise Voice, Video, and Messaging Endpoint Security Requirements Guide V-259999CAT IIThe Enterprise Voice, Video, and Messaging Session Manager must produce session (call) records containing the identity of the initiator of the call.Enterprise Voice, Video, and Messaging Session Management Security Requirements Guide V-259222CAT IIThe EDB Postgres Advanced Server must produce audit records containing sufficient information to establish the sources (origins) of the events.EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide V-266146CAT IIThe F5 BIG-IP appliance must generate event log records that can be forwarded to the centralized events log.F5 BIG-IP TMOS ALG Security Technical Implementation Guide V-266256CAT IIThe F5 BIG-IP appliance must generate traffic log entries containing information to establish the details of the event, including success or failure of the application of the firewall rule.F5 BIG-IP TMOS Firewall Security Technical Implementation Guide V-266068CAT IIThe F5 BIG-IP appliance must be configured to audit the execution of privileged functions such as accounts additions and changes.F5 BIG-IP TMOS NDM Security Technical Implementation Guide V-278385CAT IINGINX must provide audit records for DOD-defined auditable events.F5 NGINX Security Technical Implementation Guide V-206681CAT IIIThe firewall must generate traffic log entries containing information to establish the source of the events, such as the source IP address at a minimum.Firewall Security Requirements Guide V-234138CAT IIIThe FortiGate firewall must generate traffic log entries containing information to establish the source of the events, such as the source IP address at a minimum.Fortinet FortiGate Firewall Security Technical Implementation Guide V-203607CAT IIThe operating system must produce audit records containing information to establish the source of the events.General Purpose Operating System Security Requirements Guide V-217443CAT IIIThe HP FlexFabric Switch must produce audit log records containing information to establish the source of events.HP FlexFabric Switch NDM Security Technical Implementation Guide V-255267CAT IISSMC web server must generate, at a minimum, log records for system startup and shutdown, system access, and system authentication events.HPE 3PAR SSMC Web Server Security Technical Implementation Guide V-268245CAT IIThe HYCU virtual appliance must produce audit records containing information to establish when events occurred, where events occurred, the source of the event, the outcome of the event, and identity of any individual or process associated with the event.HYCU Protege Security Technical Implementation Guide V-215238CAT IIAIX must produce audit records containing information to establish the source and the identity of any individual or process associated with an event.IBM AIX 7.x Security Technical Implementation Guide V-256887CAT IIAudit records content must contain valid information to allow for proper incident reporting.IBM Hardware Management Console (HMC) Security Technical Implementation Guide V-255782CAT IIThe MQ Appliance messaging server must produce log records containing information to establish what type of events occurred.IBM MQ Appliance V9.0 AS Security Technical Implementation Guide V-255732CAT IIThe MQ Appliance network device must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.IBM MQ Appliance v9.0 NDM Security Technical Implementation Guide V-250325CAT IIThe WebSphere Liberty Server must log remote session and security activity.IBM WebSphere Liberty Server Security Technical Implementation Guide V-255823CAT IIThe WebSphere Application Server audit event type filters must be configured.IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-223544CAT IIIBM z/OS Required SMF data record types must be collected.IBM z/OS ACF2 Security Technical Implementation Guide V-223546CAT IIIBM z/OS must specify SMF data options to assure appropriate activation.IBM z/OS ACF2 Security Technical Implementation Guide V-223653CAT IIIBM RACF SETROPTS LOGOPTIONS must be properly configured.IBM z/OS RACF Security Technical Implementation Guide V-223767CAT IIIBM z/OS required SMF data record types must be collected.IBM z/OS RACF Security Technical Implementation Guide V-223769CAT IIIBM z/OS must specify SMF data options to assure appropriate activation.IBM z/OS RACF Security Technical Implementation Guide V-223998CAT IIIBM z/OS required SMF data record types must be collected.IBM z/OS TSS Security Technical Implementation Guide V-224001CAT IIIBM z/OS must specify SMF data options to ensure appropriate activation.IBM z/OS TSS Security Technical Implementation Guide V-237899CAT IICA VM:Secure product must be installed and operating.IBM zVM Using CA VM:Secure Security Technical Implementation Guide V-34543CAT IIThe IDPS must produce audit records containing information to establish the source of the event, including, at a minimum, originating source address.Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide V-206870CAT IIThe IDPS must produce audit records containing information to establish the source of the event, including, at a minimum, originating source address.Intrusion Detection and Prevention Systems Security Requirements Guide V-258601CAT IIThe ICS must be configured to audit the execution of privileged functions such as accounts additions and changes.Ivanti Connect Secure NDM Security Technical Implementation Guide V-258587CAT IIIThe ICS must be configured to generate log records containing sufficient information about where, when, identity, source, or outcome of the events.Ivanti Connect Secure VPN Security Technical Implementation Guide V-251018CAT IIIThe Sentry must produce audit records containing information to establish the source of the events.Ivanti MobileIron Sentry 9.x ALG Security Technical Implementation Guide V-251018CAT IIIThe Sentry must produce audit records containing information to establish the source of the events.Ivanti Sentry 9.x ALG Security Technical Implementation Guide V-213510CAT IIJBoss must be configured to record the IP address and port information used by management interface network traffic.JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide V-253892CAT IIThe Juniper EX switch must be configured to produce audit log records containing information to establish the source of events.Juniper EX Series Switches Network Device Management Security Technical Implementation Guide V-253997CAT IIThe Juniper router must be configured to produce audit records containing information to establish the source of the events.Juniper EX Series Switches Router Security Technical Implementation Guide V-217027CAT IIThe Juniper router must be configured to produce audit records containing information to establish the source of the events.Juniper Router RTR Security Technical Implementation Guide V-242403CAT IIKubernetes API Server must generate audit records that identify what type of event has occurred, identify the source of the event, contain the event results, identify any users, and identify any containers associated with the event.Kubernetes Security Technical Implementation Guide V-213815CAT IISQL Server must produce Trace or Audit records containing sufficient information to establish the sources (origins) of the events.MS SQL Server 2014 Instance Security Technical Implementation Guide V-205467CAT IIThe Mainframe Product must produce audit records containing information to establish the source of the events.Mainframe Product Security Requirements Guide V-228360CAT IIIExchange Circular Logging must be disabled.Microsoft Exchange 2016 Mailbox Server Security Technical Implementation Guide V-228361CAT IIExchange Email Subject Line logging must be disabled.Microsoft Exchange 2016 Mailbox Server Security Technical Implementation Guide V-228362CAT IIExchange Message Tracking Logging must be enabled.Microsoft Exchange 2016 Mailbox Server Security Technical Implementation Guide V-259583CAT IIExchange message tracking logging must be enabled.Microsoft Exchange 2019 Edge Server Security Technical Implementation Guide V-259656CAT IIExchange email subject line logging must be disabled.Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide V-259657CAT IIExchange message tracking logging must be enabled.Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide V-259658CAT IIIExchange circular logging must be disabled.Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide V-218740CAT IIAn IIS 10.0 website behind a load balancer or proxy server must produce log records containing the source client IP, and destination information.Microsoft IIS 10.0 Site Security Technical Implementation Guide V-221160CAT IIMongoDB must provide audit record generation for DoD-defined auditable events within all DBMS/database components.MongoDB Enterprise Advanced 3.x Security Technical Implementation Guide V-252134CAT IIMongoDB must provide audit record generation for DoD-defined auditable events within all DBMS/database components.MongoDB Enterprise Advanced 4.x Security Technical Implementation Guide V-265907CAT IIMongoDB must provide audit record generation for DOD-defined auditable events within all DBMS/database components.MongoDB Enterprise Advanced 7.x Security Technical Implementation Guide V-279334CAT IIMongoDB must provide audit record generation for DOD-defined auditable events within all DBMS/database components.MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide V-202033CAT IIThe network device must produce audit log records containing information to establish the source of events.Network Device Management Security Requirements Guide V-254167CAT IINutanix AOS must produce audit records containing information to establish the source of events.Nutanix AOS 5.20.x OS Security Technical Implementation Guide V-219757CAT IIThe DBMS must produce audit records containing sufficient information to establish the sources (origins) of the events.Oracle Database 11.2g Security Technical Implementation Guide V-220273CAT IIThe DBMS must produce audit records containing sufficient information to establish the sources (origins) of the events.Oracle Database 12c Security Technical Implementation Guide V-221322CAT IIOHS must have a log format defined for log records that allow the establishment of the source of events.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221323CAT IIOHS must have a SSL log format defined for log records that allow the establishment of the source of events.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221324CAT IIOHS must have a log file defined for each site/virtual host to capture logs generated that allow the establishment of the source of events.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221325CAT IIOHS, behind a load balancer or proxy server, must produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221326CAT IIOHS, behind a load balancer or proxy server, must have the SSL log format set correctly to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221327CAT IIOHS, behind a load balancer or proxy server, must have a log file defined for each site/virtual host to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-248519CAT IIThe OL 8 audit package must be installed.Oracle Linux 8 Security Technical Implementation Guide V-248520CAT IIOL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.Oracle Linux 8 Security Technical Implementation Guide V-271519CAT IIOL 9 must have the audit package installed.Oracle Linux 9 Security Technical Implementation Guide V-271520CAT IIOL 9 audit service must be enabled.Oracle Linux 9 Security Technical Implementation Guide V-235947CAT IIIOracle WebLogic must produce audit records containing sufficient information to establish the sources of the events.Oracle WebLogic Server 12c Security Technical Implementation Guide V-228836CAT IIIThe Palo Alto Networks security platform must log violations of security policies.Palo Alto Networks ALG Security Technical Implementation Guide V-207689CAT IIThe Palo Alto Networks security platform must produce audit records containing information to establish the source of the event, including, at a minimum, originating source address.Palo Alto Networks IDPS Security Technical Implementation Guide V-228643CAT IIIThe Palo Alto Networks security platform must produce audit log records containing information (FQDN, unique hostname, management IP address) to establish the source of events.Palo Alto Networks NDM Security Technical Implementation Guide V-214125CAT IIPostgreSQL must produce audit records containing sufficient information to establish the sources (origins) of the events.PostgreSQL 9.x Security Technical Implementation Guide V-273788CAT IIThe RUCKUS ICX device must initiate session auditing upon startup.RUCKUS ICX NDM Security Technical Implementation Guide V-252846CAT IIRancher MCM must allocate audit record storage and generate audit records associated with events, users, and groups.Rancher Government Solutions Multi-Cluster Manager Security Technical Implementation Guide V-254555CAT IIRancher RKE2 components must be configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including SRGs, STIGs, NSA configuration guides, CTOs, and DTMs.Rancher Government Solutions RKE2 Security Technical Implementation Guide V-280984CAT IIRHEL 10 must have the rsyslog service set to active.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-280991CAT IIRHEL 10 must use cron logging.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-280993CAT IIRHEL 10 must have the "audit" package installed.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-280994CAT IIRHEL 10 must enable the audit service.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-258151CAT IIRHEL 9 audit package must be installed.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258152CAT IIRHEL 9 audit service must be enabled.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257522CAT IIAll audit records must generate the event results within OpenShift.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-275452CAT IThe Riverbed NetIM must enable and configure user audit logging.Riverbed NetIM NDM Security Technical Implementation Guide V-275677CAT IIUbuntu OS must have the "auditd" package installed.Riverbed NetIM OS Security Technical Implementation Guide V-275678CAT IIUbuntu OS must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DOD-defined auditable events and actions in near real time.Riverbed NetIM OS Security Technical Implementation Guide V-256072CAT IThe Riverbed NetProfiler must be configured to automatically generate DOD-required audit records with sufficient information to support incident reporting to a central log server.Riverbed NetProfiler Security Technical Implementation Guide V-207121CAT IIThe router must be configured to produce audit records containing information to establish the source of the events.Router Security Requirements Guide V-206720CAT IIThe SDN controller must be configured to produce audit records containing information to establish the source of the events.SDN Controller Security Requirements Guide V-261411CAT IISLEM 5 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-217191CAT IISUSE operating system audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-216256CAT IIAudit records must include the sources of the events that occurred.Solaris 11 SPARC Security Technical Implementation Guide V-216021CAT IIAudit records must include the sources of the events that occurred.Solaris 11 X86 Security Technical Implementation Guide V-279177CAT IIThe Edge SWG must ensure inbound and outbound traffic is monitored for compliance with remote access security policies.Symantec Edge SWG ALG Security Technical Implementation Guide V-279255CAT IIThe Edge SWG must produce audit records containing information to establish when (date and time) the events occurred.Symantec Edge SWG NDM Security Technical Implementation Guide V-94251CAT IISymantec ProxySG must produce audit records containing information to establish the source of the events.Symantec ProxySG ALG Security Technical Implementation Guide V-242176CAT IIThe TPS must provide audit record generation capability for detection events based on implementation of policy filters, rules, signatures, and anomaly analysis.Trend Micro TippingPoint IDPS Security Technical Implementation Guide V-252973CAT IITOSS audit records must contain information to establish what type of events occurred, when the events occurred, the source of events, where events occurred, and the outcome of events.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-234331CAT IIThe UEM server must be configured to produce audit records containing information to establish the source of the events.Unified Endpoint Management Server Security Requirements Guide V-240048CAT IIHAProxy must log the source of events.VMW vRealize Automation 7.x HA Proxy Security Technical Implementation Guide V-240283CAT IIvRA PostgreSQL database log file data must contain required data elements.VMW vRealize Automation 7.x PostgreSQL Security Technical Implementation Guide V-239780CAT IIThe vROps PostgreSQL DB must produce audit records containing sufficient information to establish the sources (origins) of the events.VMW vRealize Operations Manager 6.x PostgreSQL Security Technical Implementation Guide V-265612CAT IIIThe NSX Distributed Firewall must generate traffic log entries that can be sent by the ESXi hosts to the central syslog.VMware NSX 4.x Distributed Firewall Security Technical Implementation Guide V-265362CAT IIThe NSX Tier-0 Gateway Firewall must generate traffic log entries.VMware NSX 4.x Tier-0 Gateway Firewall Security Technical Implementation Guide V-265488CAT IIThe NSX Tier-1 Gateway firewall must generate traffic log entries.VMware NSX 4.x Tier-1 Gateway Firewall Security Technical Implementation Guide V-251727CAT IIThe NSX-T Distributed Firewall must generate traffic log entries containing information to establish the details of the event.VMware NSX-T Distributed Firewall Security Technical Implementation Guide V-251762CAT IIIThe NSX-T Tier-1 Gateway Firewall must generate traffic log entries containing information to establish the details of the event.VMware NSX-T Tier 1 Gateway Firewall Security Technical Implementation Guide V-251737CAT IIIThe NSX-T Tier-0 Gateway Firewall must generate traffic log entries containing information to establish the details of the event.VMware NSX-T Tier-0 Gateway Firewall Security Technical Implementation Guide V-240223CAT IILighttpd must produce log records containing sufficient information to establish the source of events.VMware vRealize Automation 7.x Lighttpd Security Technical Implementation Guide V-240758CAT IItc Server HORIZON must produce log records containing sufficient information to establish the source of events.VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide V-240759CAT IItc Server VCO must produce log records containing sufficient information to establish the source of events.VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide V-240760CAT IItc Server VCAC must produce log records containing sufficient information to establish the source of events.VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide V-240761CAT IItc Server HORIZON must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide V-240762CAT IItc Server VCO must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide V-240763CAT IItc Server VCAC must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide V-241608CAT IItc Server UI must produce log records containing sufficient information to establish the source of events.VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide V-241609CAT IItc Server CaSa must produce log records containing sufficient information to establish the source of events.VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide V-241610CAT IItc Server API must produce log records containing sufficient information to establish the source of events.VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide V-241611CAT IItc Server UI must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide V-241612CAT IItc Server CaSa must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide V-241613CAT IItc Server API must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide V-256650CAT IIVAMI must produce log records containing sufficient information to establish what type of events occurred.VMware vSphere 7.0 VAMI Security Technical Implementation Guide V-256677CAT IIESX Agent Manager must record user access in a format that enables monitoring of remote access.VMware vSphere 7.0 vCenter Appliance EAM Security Technical Implementation Guide V-256710CAT IILookup Service must record user access in a format that enables monitoring of remote access.VMware vSphere 7.0 vCenter Appliance Lookup Service Security Technical Implementation Guide V-256615CAT IIPerformance Charts must record user access in a format that enables monitoring of remote access.VMware vSphere 7.0 vCenter Appliance Perfcharts Security Technical Implementation Guide V-256487CAT IIThe Photon operating system must configure auditd to log to disk.VMware vSphere 7.0 vCenter Appliance Photon OS Security Technical Implementation Guide V-256592CAT IIVMware Postgres log files must contain required fields.VMware vSphere 7.0 vCenter Appliance PostgreSQL Security Technical Implementation Guide V-256749CAT IIThe Security Token Service must record user access in a format that enables monitoring of remote access.VMware vSphere 7.0 vCenter Appliance STS Security Technical Implementation Guide V-256782CAT IIvSphere UI must record user access in a format that enables monitoring of remote access.VMware vSphere 7.0 vCenter Appliance UI Security Technical Implementation Guide V-259006CAT IIThe vCenter ESX Agent Manager service must produce log records containing sufficient information regarding event details.VMware vSphere 8.0 vCenter Appliance ESX Agent Manager (EAM) Security Technical Implementation Guide V-259040CAT IIThe vCenter Lookup service must produce log records containing sufficient information regarding event details.VMware vSphere 8.0 vCenter Appliance Lookup Service Security Technical Implementation Guide V-259140CAT IIThe vCenter VAMI service must produce log records containing sufficient information to establish what type of events occurred.VMware vSphere 8.0 vCenter Appliance Management Interface (VAMI) Security Technical Implementation Guide V-259074CAT IIThe vCenter Perfcharts service must produce log records containing sufficient information regarding event details.VMware vSphere 8.0 vCenter Appliance Perfcharts Security Technical Implementation Guide V-258808CAT IIThe Photon operating system must enable the auditd service.VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 Security Technical Implementation Guide V-259171CAT IIThe vCenter PostgreSQL service must produce logs containing sufficient information to establish what type of events occurred.VMware vSphere 8.0 vCenter Appliance PostgreSQL Security Technical Implementation Guide V-258974CAT IIThe vCenter STS service must produce log records containing sufficient information regarding event details.VMware vSphere 8.0 vCenter Appliance Secure Token Service (STS) Security Technical Implementation Guide V-259107CAT IIThe vCenter UI service must produce log records containing sufficient information regarding event details.VMware vSphere 8.0 vCenter Appliance User Interface (UI) Security Technical Implementation Guide V-207355CAT IIThe VMM must produce audit records containing information to establish the source of the events.Virtual Machine Manager Security Requirements Guide V-207199CAT IIIThe VPN Gateway must generate log records containing information to establish the source of the events.Virtual Private Network (VPN) Security Requirements Guide V-206362CAT IIThe web server must produce log records containing sufficient information to establish the source of events.Web Server Security Requirements Guide V-206363CAT IIA web server, behind a load balancer or proxy server, must produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event.Web Server Security Requirements Guide