STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← AU-4 (1) — Audit Log Storage Capacity

CCI-001851

Definition

Transfer audit logs per organization-defined frequency to a different system, system component, or media than the system or system component conducting the logging.

Parent Control

AU-4 (1)Audit Log Storage CapacityAudit and Accountability

Linked STIG Checks (200)

V-237059CAT IIIThe A10 Networks ADC must, at a minimum, off-load audit log records onto a centralized log server.A10 Networks ADC ALG Security Technical Implementation Guide V-255617CAT IIThe A10 Networks ADC must off-load audit records onto a different system or media than the system being audited.A10 Networks ADC NDM Security Technical Implementation Guide V-204690CAT IIAAA Services must be configured to send audit records to a centralized audit server.AAA Services Security Requirements Guide V-279070CAT IIColdFusion must be configured to support integration with a third-party Security Information and Event Management (SIEM) to support notifications.Adobe ColdFusion Security Technical Implementation Guide V-76415CAT IIKona Site Defender must off-load audit records onto a centralized log server.Akamai KSD Service Impact Level 2 ALG Security Technical Implementation Guide V-76417CAT IIIKona Site Defender must off-load audit records onto a centralized log server in real time.Akamai KSD Service Impact Level 2 ALG Security Technical Implementation Guide V-274019CAT IIAmazon Linux 2023 audispd-plugins package must be installed.Amazon Linux 2023 Security Technical Implementation Guide V-274020CAT IIAmazon Linux 2023 must have the rsyslog package installed.Amazon Linux 2023 Security Technical Implementation Guide V-274069CAT IIAmazon Linux 2023 must label all off-loaded audit logs before sending them to the central log server.Amazon Linux 2023 Security Technical Implementation Guide V-274070CAT IIAmazon Linux 2023 must take appropriate action when the internal event queue is full.Amazon Linux 2023 Security Technical Implementation Guide V-274076CAT IIAmazon Linux 2023 must be configured to off-load audit records onto a different system from the system being audited via syslog.Amazon Linux 2023 Security Technical Implementation Guide V-274077CAT IIAmazon Linux 2023 must authenticate the remote logging server for off-loading audit logs via rsyslog.Amazon Linux 2023 Security Technical Implementation Guide V-274078CAT IIAmazon Linux 2023 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited via rsyslog.Amazon Linux 2023 Security Technical Implementation Guide V-274079CAT IIAmazon Linux 2023 must encrypt via the gtls driver the transfer of audit records off-loaded onto a different system or media from the system being audited via rsyslog.Amazon Linux 2023 Security Technical Implementation Guide V-274080CAT IIIAmazon Linux 2023 must be configured to off-load audit records onto a different system from the system being audited via syslog.Amazon Linux 2023 Security Technical Implementation Guide V-274107CAT IIAmazon Linux 2023 must off-load audit records onto a different system in the event the audit storage volume is full.Amazon Linux 2023 Security Technical Implementation Guide V-268109CAT IINixOS must authenticate the remote logging server for off-loading audit logs.Anduril NixOS Security Technical Implementation Guide V-214263CAT IIThe Apache web server must not impede the ability to write specified log record content to an audit log server.Apache Server 2.4 UNIX Server Security Technical Implementation Guide V-214264CAT IIThe Apache web server must be configured to integrate with an organizations security infrastructure.Apache Server 2.4 UNIX Server Security Technical Implementation Guide V-214348CAT IIThe Apache web server must not impede the ability to write specified log record content to an audit log server.Apache Server 2.4 Windows Server Security Technical Implementation Guide V-214349CAT IIThe Apache web server must be configurable to integrate with an organizations security infrastructure.Apache Server 2.4 Windows Server Security Technical Implementation Guide V-204995CAT IIThe ALG must off-load audit records onto a centralized log server.Application Layer Gateway Security Requirements Guide V-205045CAT IIThe ALG must off-load audit records onto a centralized log server in real time.Application Layer Gateway Security Requirements Guide V-205046CAT IIThe ALG that is part of a CDS must have the capability to implement journaling.Application Layer Gateway Security Requirements Guide V-222481CAT IIThe application must off-load audit records onto a different system or media than the system being audited.Application Security and Development Security Technical Implementation Guide V-222482CAT IIThe application must be configured to write application logs to a centralized log repository.Application Security and Development Security Technical Implementation Guide V-204789CAT IIThe application server must off-load log records onto a different system or media from the system being logged.Application Server Security Requirements Guide V-204833CAT IIThe application server must, at a minimum, transfer the logs of interconnected systems in real time, and transfer the logs of standalone systems weekly.Application Server Security Requirements Guide V-272632CAT IICylanceON-PREM must be configured to support integration with a third-party Security Information and Event Management (SIEM) to support notifications.Arctic Wolf CylanceON-PREM Security Technical Implementation Guide V-217374CAT IIThe Arista Multilayer Switch must, at a minimum, off-load audit records for interconnected systems in real time.Arista MLS DCS-7000 Series NDM Security Technical Implementation Guide V-255966CAT IThe Arista network Arista device must be configured to send log data to a central log server for the purpose of forwarding alerts to the administrators and the ISSO.Arista MLS EOS 4.X NDM Security Technical Implementation Guide V-276014CAT IAx-OS must off-load audit records onto a different system or media than the system being audited.Axonius Federal Systems Ax-OS Security Technical Implementation Guide V-224375CAT IIThe BlackBerry UEM server must be configured to transfer BlackBerry UEM server logs to another server for storage, analysis, and reporting. Note: BlackBerry UEM server logs include logs of MDM events and logs transferred to the BlackBerry UEM server by MDM agents of managed devices.BlackBerry UEM Security Technical Implementation Guide V-237391CAT IIThe CA API Gateway must off-load audit records onto a centralized log server.CA API Gateway ALG Security Technical Implementation Guide V-237417CAT IIThe CA API Gateway must off-load audit records onto a centralized log server in real time.CA API Gateway ALG Security Technical Implementation Guide V-255525CAT IIIThe CA API Gateway must off-load audit records onto a different system or media than the system being audited.CA API Gateway NDM Security Technical Implementation Guide V-219153CAT IIIThe Ubuntu operating system audit event multiplexor must be configured to off-load audit logs onto a different system in real time, if the system is interconnected.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-219154CAT IIIThe Ubuntu operating system must have a crontab script running weekly to off-load audit events of standalone systems.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-219162CAT IIIThe Ubuntu operating system audit event multiplexor must be configured to off-load audit logs onto a different system or storage media from the system being audited.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-238306CAT IIIThe Ubuntu operating system audit event multiplexor must be configured to off-load audit logs onto a different system or storage media from the system being audited.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-238321CAT IIIThe Ubuntu operating system must have a crontab script running weekly to offload audit events of standalone systems.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260587CAT IIIUbuntu 22.04 LTS must have a crontab script running weekly to offload audit events of standalone systems.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-260592CAT IIIUbuntu 22.04 LTS audit event multiplexor must be configured to offload audit logs onto a different system from the system being audited.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270658CAT IIIUbuntu 24.04 LTS audit event multiplexor must be configured to offload audit logs onto a different system or storage media from the system being audited.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-270817CAT IIIUbuntu 24.04 LTS must have a crontab script running weekly to offload audit events of standalone systems.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-206491CAT IIThe Central Log Server must be configured to off-load log records onto a different system or media than the system being audited.Central Log Server Security Requirements Guide V-206511CAT IIIThe Central Log Server must be configured to off-load interconnected systems in real time and off-load standalone systems weekly, at a minimum.Central Log Server Security Requirements Guide V-271931CAT IThe Cisco ACI must be configured to send log data to a central log server for log retention and forwarding alerts to the administrators and the information system security officer (ISSO).Cisco ACI NDM Security Technical Implementation Guide V-239879CAT IIThe Cisco ASA must be configured to off-load log records to a centralized log server.Cisco ASA IPS Security Technical Implementation Guide V-239943CAT IThe Cisco ASA must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to organization-defined personnel and/or the firewall administrator.Cisco ASA NDM Security Technical Implementation Guide V-220136CAT IThe Cisco router must be configured to send log data to at least two syslog servers for the purpose of forwarding alerts to the administrators and the ISSO.Cisco IOS Router NDM Security Technical Implementation Guide V-220620CAT IThe Cisco switch must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).Cisco IOS Switch NDM Security Technical Implementation Guide V-220139CAT IThe Cisco router must be configured to send log data to at least two syslog servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).Cisco IOS XE Router NDM Security Technical Implementation Guide V-220568CAT IThe Cisco switch must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).Cisco IOS XE Switch NDM Security Technical Implementation Guide V-216543CAT IIThe Cisco router must be configured to off-load log records onto a different system than the system being audited.Cisco IOS XR Router NDM Security Technical Implementation Guide V-216547CAT IThe Cisco router must be configured to send log data to at least two syslog servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).Cisco IOS XR Router NDM Security Technical Implementation Guide V-242627CAT IIThe Cisco ISE must configure a remote syslog where audit records are stored on a centralized logging target that is different from the system being audited.Cisco ISE NDM Security Technical Implementation Guide V-242661CAT IIThe Cisco ISE must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).Cisco ISE NDM Security Technical Implementation Guide V-220512CAT IIThe Cisco switch must be configured to off-load log records onto a different system than the system being audited.Cisco NX OS Switch NDM Security Technical Implementation Guide V-220516CAT IThe Cisco switch must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).Cisco NX OS Switch NDM Security Technical Implementation Guide V-259876CAT IIThe Infrastructure as a Service (IaaS)/Platform as a Service (PaaS) must perform centralized logging to capture and store log records.Cloud Computing Mission Owner Operating System Security Requirements Guide V-269509CAT IIAlmaLinux OS 9 audispd-plugins package must be installed.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269510CAT IIAlmaLinux OS 9 must label all offloaded audit logs before sending them to the central log server.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269511CAT IIAlmaLinux OS 9 must take appropriate action when the internal event queue is full.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269512CAT IIAlmaLinux OS 9 must be configured to offload audit records onto a different system from the system being audited via syslog.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269513CAT IIAlmaLinux OS 9 must authenticate the remote logging server for offloading audit logs via rsyslog.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269514CAT IIAlmaLinux OS 9 must encrypt the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269515CAT IIAlmaLinux OS 9 must encrypt, via the gtls driver, the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269516CAT IIAlmaLinux OS 9 must have the rsyslog package installed.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269517CAT IIIAlmaLinux OS 9 must be configured to forward audit records via TCP to a different system or media from the system being audited via rsyslog.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269518CAT IIThe rsyslog service on AlmaLinux OS 9 must be active.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-233169CAT IIAudit records must be stored at a secondary location.Container Platform Security Requirements Guide V-233610CAT IIPostgreSQL must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.Crunchy Data PostgreSQL Security Technical Implementation Guide V-261967CAT IIPostgreSQL must offload audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for standalone systems.Crunchy Data Postgres 16 Security Technical Implementation Guide V-237566CAT IIThe DBN-6300 must off-load log records to a centralized log server.DBN-6300 IDPS Security Technical Implementation Guide V-237569CAT IIThe DBN-6300 must off-load log records to a centralized log server in real time.DBN-6300 IDPS Security Technical Implementation Guide V-255582CAT IIThe DBN-6300 must off-load audit records onto a different system or media than the system being audited.DBN-6300 NDM Security Technical Implementation Guide V-206642CAT IIThe DBMS must off-load audit data to a separate log management facility; this shall be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.Database Security Requirements Guide V-269803CAT IThe Dell OS10 Switch must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).Dell OS10 Switch NDM Security Technical Implementation Guide V-235778CAT IIThe audit log configuration level must be set to request in the Universal Control Plane (UCP) component of Docker Enterprise.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-235833CAT IIAll Docker Engine - Enterprise nodes must be configured with a log driver plugin that sends logs to a remote log aggregation system (SIEM).Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-270944CAT IIThe Dragos Platform must be configured to send backup audit records.Dragos Platform 2.x Security Technical Implementation Guide V-224240CAT IIThe EDB Postgres Advanced Server must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide V-213667CAT IIThe EDB Postgres Advanced Server must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.EDB Postgres Advanced Server v9.6 Security Technical Implementation Guide V-259970CAT IIThe Enterprise Voice, Video, and Messaging Endpoint must offload audit records onto a different system or media than the system being audited.Enterprise Voice, Video, and Messaging Endpoint Security Requirements Guide V-259978CAT IIThe Enterprise Voice, Video, and Messaging Endpoint must, at a minimum, offload interconnected systems in real-time and offload standalone systems weekly.Enterprise Voice, Video, and Messaging Endpoint Security Requirements Guide V-260024CAT IThe Enterprise Voice, Video, and Messaging Session Manager must be configured to offload session (call) records to a central log server.Enterprise Voice, Video, and Messaging Session Management Security Requirements Guide V-259328CAT IIThe EDB Postgres Advanced Server must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide V-217418CAT IIThe BIG-IP appliance must be configured to off-load audit records onto a different system or media than the system being audited.F5 BIG-IP Device Management Security Technical Implementation Guide V-266256CAT IIThe F5 BIG-IP appliance must generate traffic log entries containing information to establish the details of the event, including success or failure of the application of the firewall rule.F5 BIG-IP TMOS Firewall Security Technical Implementation Guide V-266075CAT IThe F5 BIG-IP appliance must generate audit records and send records to redundant central syslog servers that are separate from the appliance.F5 BIG-IP TMOS NDM Security Technical Implementation Guide V-278396CAT INGINX must off-load audit records to a central log server.F5 NGINX Security Technical Implementation Guide V-206699CAT IIThe firewall must be configured to send traffic log entries to a central audit server for management and configuration of the traffic log entries.Firewall Security Requirements Guide V-237579CAT IICounterACT must off-load audit records onto a centralized log server.ForeScout CounterACT ALG Security Technical Implementation Guide V-237582CAT IICounterACT must off-load audit records onto a centralized log server in real time.ForeScout CounterACT ALG Security Technical Implementation Guide V-255655CAT IICounterACT must sent audit logs to a centralized audit server (i.e., syslog server).ForeScout CounterACT NDM Security Technical Implementation Guide V-233324CAT IIForescout must off-load log records onto a different system. This is required for compliance with C2C Step 1.Forescout Network Access Control Security Technical Implementation Guide V-230943CAT IIIThe Forescout must configure a remote syslog where audit records are stored on a centralized logging target that is different from the system being audited.Forescout Network Device Management Security Technical Implementation Guide V-234181CAT IIThe FortiGate device must off-load audit records on to a different system or media than the system being audited.Fortinet FortiGate Firewall NDM Security Technical Implementation Guide V-234149CAT IIThe FortiGate firewall must send traffic log entries to a central audit server for management and configuration of the traffic log entries.Fortinet FortiGate Firewall Security Technical Implementation Guide V-203701CAT IIIThe operating system must offload audit records onto a different system or media from the system being audited.General Purpose Operating System Security Requirements Guide V-203777CAT IIThe operating system must, at a minimum, off-load audit data from interconnected systems in real time and off-load audit data from standalone systems weekly.General Purpose Operating System Security Requirements Guide V-217478CAT IIThe HP FlexFabric Switch must off-load audit records onto a different system or media than the system being audited.HP FlexFabric Switch NDM Security Technical Implementation Guide V-255257CAT IISSMC web server must generate information to be used by external applications or entities to monitor and control remote access.HPE 3PAR SSMC Web Server Security Technical Implementation Guide V-255266CAT IISSMC web server must not impede the ability to write specified log record content to an audit log server.HPE 3PAR SSMC Web Server Security Technical Implementation Guide V-255284CAT IIThe HPE 3PAR OS must be configured to offload audit records onto a different system or media from the system being audited.HPE 3PAR StoreServ 3.3.x Security Technical Implementation Guide V-283429CAT IThe HPE Alletra Storage ArcusOS device must be configured to send log data to at least one central log server for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO). For boundary devices, two log servers are required.HPE Alletra Storage ArcusOS Network Device Management Security Technical Implementation Guide V-266966CAT IIAOS must off-load audit records onto a different system or media than the system being audited.HPE Aruba Networking AOS NDM Security Technical Implementation Guide V-266977CAT IAOS must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).HPE Aruba Networking AOS NDM Security Technical Implementation Guide V-252203CAT IIThe HPE Nimble must configure a syslog server onto a different system or media than the system being audited.HPE Nimble Storage Array NDM Security Technical Implementation Guide V-268253CAT IIThe HYCU virtual appliance must off-load audit records onto a different system or media than the system being audited.HYCU Protege Security Technical Implementation Guide V-268303CAT IThe HYCU virtual appliance must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).HYCU Protege Security Technical Implementation Guide V-235051CAT IIThe Honeywell Mobility Edge Android Pie device must be configured to enable audit logging.Honeywell Android 9.x COBO Security Technical Implementation Guide V-235080CAT IIThe Honeywell Mobility Edge Android Pie device must be configured to enable audit logging.Honeywell Android 9.x COPE Security Technical Implementation Guide V-215312CAT IIAIX must implement a remote syslog server that is documented using site-defined procedures.IBM AIX 7.x Security Technical Implementation Guide V-219956CAT IIAIX must be configured so that the audit system takes appropriate action when the audit storage volume is full.IBM AIX 7.x Security Technical Implementation Guide V-213762CAT IIDB2 must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.IBM DB2 V10.5 LUW Security Technical Implementation Guide V-65259CAT IIThe DataPower Gateway must off-load audit records onto a centralized log server.IBM DataPower ALG Security Technical Implementation Guide V-65315CAT IIIThe DataPower Gateway must off-load audit records onto a centralized log server in real time.IBM DataPower ALG Security Technical Implementation Guide V-65171CAT IIThe DataPower Gateway must off-load audit records onto a different system or media than the system being audited.IBM DataPower Network Device Management Security Technical Implementation Guide V-255777CAT IIThe MQ Appliance messaging server must off-load log records onto a different system or media from the system being logged.IBM MQ Appliance V9.0 AS Security Technical Implementation Guide V-255815CAT IIThe MQ Appliance messaging server must, at a minimum, transfer the logs of interconnected systems in real time, and transfer the logs of standalone systems weekly.IBM MQ Appliance V9.0 AS Security Technical Implementation Guide V-255768CAT IIThe MQ Appliance network device must off-load audit records onto a different system or media than the system being audited.IBM MQ Appliance v9.0 NDM Security Technical Implementation Guide V-82153CAT IIThe MaaS360 MDM server must be configured to transfer MaaS360 MDM server logs to another server for storage, analysis, and reporting. Note: MaaS360 MDM server logs include logs of MDM events and logs transferred to the MaaS360 MDM server by MDM agents of managed devices.IBM MaaS360 with Watson v10.x MDM Security Technical Implementation Guide V-250327CAT IIThe WebSphere Liberty Server must be configured to offload logs to a centralized system.IBM WebSphere Liberty Server Security Technical Implementation Guide V-223548CAT IIIBM z/OS system administrators must develop an automated process to collect and retain SMF data.IBM z/OS ACF2 Security Technical Implementation Guide V-223585CAT IIIBM z/OS system administrator must develop a procedure to offload SMF files to a different system or media than the system being audited.IBM z/OS ACF2 Security Technical Implementation Guide V-223771CAT IIIBM z/OS system administrators must develop an automated process to collect and retain SMF data.IBM z/OS RACF Security Technical Implementation Guide V-223805CAT IIIBM z/OS system administrator must develop a procedure to offload SMF files to a different system or media than the system being audited.IBM z/OS RACF Security Technical Implementation Guide V-224022CAT IIIBM z/OS System Administrators must develop an automated process to collect and retain SMF data.IBM z/OS TSS Security Technical Implementation Guide V-224042CAT IIIBM z/OS system administrator must develop a procedure to offload SMF files to a different system or media than the system being audited.IBM z/OS TSS Security Technical Implementation Guide V-237938CAT IICA VM:Secure product audit records must offload audit records to a different system or media.IBM zVM Using CA VM:Secure Security Technical Implementation Guide V-237939CAT IICA VM:Secure product audit records must be offloaded on a weekly basis.IBM zVM Using CA VM:Secure Security Technical Implementation Guide V-224766CAT IIThe ISEC7 SPHERE must back up audit records at least every seven days onto a different system or system component than the system or component being audited, provide centralized management and configuration of the content to be captured in audit records generated by all ISEC7 SPHERE components, and offload audit records onto a different system or media than the system being audited.ISEC7 Sphere Security Technical Implementation Guide V-55325CAT IIThe IDPS must off-load log records to a centralized log server.Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide V-55327CAT IIThe IDPS must off-load log records to a centralized log server in real-time.Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide V-206902CAT IIThe IDPS must off-load log records to a centralized log server.Intrusion Detection and Prevention Systems Security Requirements Guide V-206922CAT IIThe IDPS must off-load log records to a centralized log server in real-time.Intrusion Detection and Prevention Systems Security Requirements Guide V-258599CAT IThe ICS must be configured to send admin log data to a redundant central log server.Ivanti Connect Secure NDM Security Technical Implementation Guide V-258592CAT IIThe ICS must be configured to send user traffic log data to redundant central log server.Ivanti Connect Secure VPN Security Technical Implementation Guide V-251415CAT IIThe Ivanti EPMM server must be configured to transfer Ivanti EPMM server logs to another server for storage, analysis, and reporting. Note: Ivanti EPMM server logs include logs of UEM events and logs transferred to the Ivanti EPMM server by UEM agents of managed devices.Ivanti EPMM Server Security Technical Implementation Guide V-251421CAT IIThe Ivanti EPMM server must, at a minimum, off-load audit logs of interconnected systems in real time and off-load standalone systems weekly.Ivanti EPMM Server Security Technical Implementation Guide V-251415CAT IIThe Ivanti MobileIron Core server must be configured to transfer Ivanti MobileIron Core server logs to another server for storage, analysis, and reporting. Note: Ivanti MobileIron Core server logs include logs of UEM events and logs transferred to the Ivanti MobileIron Core server by UEM agents of managed devices. Ivanti MobileIron Core MDM Server Security Technical Implementation Guide V-251421CAT IIThe Ivanti MobileIron Core server must, at a minimum, off-load audit logs of interconnected systems in real time and off-load standalone systems weekly.Ivanti MobileIron Core MDM Server Security Technical Implementation Guide V-251030CAT IIIThe Sentry must offload audit records onto a centralized log server.Ivanti MobileIron Sentry 9.x ALG Security Technical Implementation Guide V-251039CAT IIIThe Sentry must offload audit records onto a centralized log server in real time.Ivanti MobileIron Sentry 9.x ALG Security Technical Implementation Guide V-251002CAT IIIMobileIron Sentry must off-load audit records onto a different system or media than the system being audited.Ivanti MobileIron Sentry 9.x NDM Security Technical Implementation Guide V-251030CAT IIIThe Sentry must offload audit records onto a centralized log server.Ivanti Sentry 9.x ALG Security Technical Implementation Guide V-251039CAT IIIThe Sentry must offload audit records onto a centralized log server in real time.Ivanti Sentry 9.x ALG Security Technical Implementation Guide V-251002CAT IIISentry must offload audit records onto a different system or media than the system being audited.Ivanti Sentry 9.x NDM Security Technical Implementation Guide V-213541CAT IIThe JBoss server must be configured to utilize syslog logging.JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide V-213559CAT IIJBoss servers must be configured to roll over and transfer logs on a minimum weekly basis.JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide V-241793CAT IIThe Jamf Pro EMM server must be configured to transfer Jamf Pro EMM server logs to another server for storage, analysis, and reporting. Note: Jamf Pro EMM server logs include logs of MDM events and logs transferred to the Jamf Pro EMM server by MDM agents of managed devices.Jamf Pro v10.x EMM Security Technical Implementation Guide V-253937CAT IIThe Juniper EX switch must be configured to offload audit records onto a different system or media than the system being audited.Juniper EX Series Switches Network Device Management Security Technical Implementation Guide V-253944CAT IThe Juniper EX switch must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).Juniper EX Series Switches Network Device Management Security Technical Implementation Guide V-217348CAT IIThe Juniper router must be configured to off-load log records onto a different system than the system being audited.Juniper Router NDM Security Technical Implementation Guide V-220141CAT IThe Juniper router must be configured to send log data to at least two syslog servers for the purpose of forwarding alerts to the administrators and the Information System Security Officers (ISSO).Juniper Router NDM Security Technical Implementation Guide V-214521CAT IIThe Juniper SRX Services Gateway Firewall must be configured to support centralized management and configuration of the audit log.Juniper SRX Services Gateway ALG Security Technical Implementation Guide V-213893CAT IISQL Server must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.MS SQL Server 2014 Instance Security Technical Implementation Guide V-214025CAT IIThe system SQL Server must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.MS SQL Server 2016 Instance Security Technical Implementation Guide V-205554CAT IIThe Mainframe Product must off-load audit records onto a different system or media than the system being audited.Mainframe Product Security Requirements Guide V-253776CAT IIMariaDB must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.MariaDB Enterprise 10.x Security Technical Implementation Guide V-220417CAT IIIMarkLogic Server must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.MarkLogic Server v9 Security Technical Implementation Guide V-255377CAT IIAzure SQL Database must offload audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.Microsoft Azure SQL Database Security Technical Implementation Guide V-276265CAT IIAzure SQL Managed Instance must store audit records in an immutable blob storage container for an organizationally defined period of time.Microsoft Azure SQL Managed Instance Security Technical Implementation Guide V-272889CAT IMicrosoft Defender for Endpoint (MDE) must be connected to a central log server.Microsoft Defender for Endpoint Security Technical Implementation Guide V-270227CAT IIMicrosoft Entra ID must be configured to transfer logs to another server for storage, analysis, and reporting.Microsoft Entra ID Security Technical Implementation Guide V-218786CAT IIBoth the log file and Event Tracing for Windows (ETW) for the IIS 10.0 web server must be enabled.Microsoft IIS 10.0 Server Security Technical Implementation Guide V-273868CAT IIMicrosoft Intune service must be configured to transfer Intune logs to another server for storage, analysis, and reporting at least every seven days.Microsoft Intune MDM Service Desktop & Mobile Security Technical Implementation Guide V-273868CAT IIMicrosoft Intune service must be configured to transfer Intune logs to another server for storage, analysis, and reporting at least every seven days.Microsoft Intune MDM Service Desktop & Mobile Security Technical Implementation Guide V-271385CAT IIThe system SQL Server must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.Microsoft SQL Server 2022 Instance Security Technical Implementation Guide V-224875CAT IIAudit records must be backed up to a different system or media than the system being audited.Microsoft Windows Server 2016 Security Technical Implementation Guide V-224876CAT IIWindows Server 2016 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly.Microsoft Windows Server 2016 Security Technical Implementation Guide V-205799CAT IIWindows Server 2019 audit records must be backed up to a different system or media than the system being audited.Microsoft Windows Server 2019 Security Technical Implementation Guide V-205843CAT IIWindows Server 2019 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly.Microsoft Windows Server 2019 Security Technical Implementation Guide V-254294CAT IIWindows Server 2022 audit records must be backed up to a different system or media than the system being audited.Microsoft Windows Server 2022 Security Technical Implementation Guide V-254295CAT IIWindows Server 2022 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly.Microsoft Windows Server 2022 Security Technical Implementation Guide V-278041CAT IIWindows Server 2025 audit records must be backed up to a different system or media than the system being audited.Microsoft Windows Server 2025 Security Technical Implementation Guide V-278042CAT IIWindows Server 2025 must, at a minimum, off-load audit records of interconnected systems in real time and off-load stand-alone or nondomain-joined systems weekly.Microsoft Windows Server 2025 Security Technical Implementation Guide V-260915CAT IIMKE must be configured to send audit data to a centralized log server.Mirantis Kubernetes Engine Security Technical Implementation Guide V-91811CAT IIThe MobileIron Core v10 server must be configured to transfer MobileIron Core v10 server logs to another server for storage, analysis, and reporting. Note: MobileIron Core v10 server logs include logs of MDM events and logs transferred to the MobileIron Core v10 server by MDM agents of managed devices.MobileIron Core v10.x MDM Security Technical Implementation Guide V-221160CAT IIMongoDB must provide audit record generation for DoD-defined auditable events within all DBMS/database components.MongoDB Enterprise Advanced 3.x Security Technical Implementation Guide V-252134CAT IIMongoDB must provide audit record generation for DoD-defined auditable events within all DBMS/database components.MongoDB Enterprise Advanced 4.x Security Technical Implementation Guide V-265953CAT IIMongoDB must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for standalone systems.MongoDB Enterprise Advanced 7.x Security Technical Implementation Guide V-279394CAT IIMongoDB must off-load audit data to a separate log management facility; this shall be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide V-246964CAT IONTAP must be configured to send audit log data to a central log server.NetApp ONTAP DSC 9.x Security Technical Implementation Guide V-202127CAT IIThe network device must off-load audit records onto a different system or media than the system being audited.Network Device Management Security Requirements Guide V-213467CAT IThe network device must be configured to send log data to at least one central log server for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO). For boundary devices, two log servers are required.Network Device Management Security Requirements Guide V-254103CAT IINutanix AOS must offload log records onto a syslog server.Nutanix AOS 5.20.x Application Security Technical Implementation Guide V-254179CAT IINutanix AOS must offload audit records to a syslog server.Nutanix AOS 5.20.x OS Security Technical Implementation Guide V-279424CAT IINutanix AOS must off-load log records onto a different system or media from the system being logged.Nutanix Acropolis Application Server Security Technical Implementation Guide V-279567CAT IIINutanix OS must be configured to send audit records to a site-specific remote syslog server.Nutanix Acropolis GPOS Security Technical Implementation Guide V-273202CAT IOkta must off-load audit records onto a central log server.Okta Identity as a Service (IDaaS) Security Technical Implementation Guide V-237747CAT IIOracle Database must off-load audit data to a separate log management facility; this must be continuous and in near-real-time for systems with a network connection to the storage facility, and weekly or more often for stand-alone systems.Oracle Database 12c Security Technical Implementation Guide V-270507CAT IIOracle Database must off-load audit data to a separate log management facility; this must be continuous and in near-real-time for systems with a network connection to the storage facility, and weekly or more often for stand-alone systems.Oracle Database 19c Security Technical Implementation Guide V-221338CAT IIOHS must be configured to store error log files to an appropriate storage device from which other tools can be configured to reference those log files for diagnostic/forensic purposes.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221339CAT IIOHS must be configured to store access log files to an appropriate storage device from which other tools can be configured to reference those log files for diagnostic/forensic purposes.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221767CAT IIThe Oracle Linux operating system must be configured to off-load audit logs onto a different system or storage media from the system being audited.Oracle Linux 7 Security Technical Implementation Guide V-221768CAT IIThe Oracle Linux operating system must take appropriate action when the remote logging buffer is full.Oracle Linux 7 Security Technical Implementation Guide V-221769CAT IIThe Oracle Linux operating system must label all off-loaded audit logs before sending them to the central log server.Oracle Linux 7 Security Technical Implementation Guide