V-222475

Discussion

Without establishing the source, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. In the case of centralized logging, or other instances where log files are consolidated, there is risk that the application's log data could be co-mingled with other log data. To address this issue, the application itself must be identified as well as the application host or client name. In order to compile an accurate risk assessment, and provide forensic analysis, it is essential for security personnel to know the source of the event, particularly in the case of centralized logging. Associating information about the source of the event within the application provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured application.

Check Content

If the application is logging locally and does not utilize a centralized logging solution, this requirement is not applicable.

Review system documentation and identify log location.  Access the application logs.

Review the application logs.

Ensure the application is uniquely identified either within the logs themselves or via log storage mechanisms.

Ensure the hosts or client names hosting the application are also identified.  Either hostname or IP address is acceptable.

If the application name and the hosts or client names are not identified, this is a finding.