STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Central Log Server Security Requirements Guide

Version

V3R4

Release Date

Feb 12, 2026

SCAP Benchmark ID

Central_Log_Server_SRG

Total Checks

127

Tags

other

CAT I: 13CAT II: 68CAT III: 46

This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (127)

V-206447HIGHThe Central Log Server must be configured to enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.V-206448MEDIUMThe Central Log Server must be configured to protect the data sent from hosts and devices from being altered in a way that may prevent the attribution of an action to an individual (or process acting on behalf of an individual).V-206449LOWThe Central Log Server must be configured to aggregate log records from organization-defined devices and hosts within its scope of coverage.V-206450LOWTime stamps recorded on the log records in the Central Log Server must be configured to synchronize to within one second of the host server or, if NTP is configured directly in the log server, the NTP time source must be the same as the host and devices within its scope of coverage.V-206451MEDIUMWhere multiple log servers are installed in the enclave, each log server must be configured to aggregate log records to a central aggregation server or other consolidated events repository.V-206453MEDIUMThe Central Log Server must be configured to retain the DoD-defined attributes of the log records sent by the devices and hosts.V-206454LOWThe Central Log Server must be configured to allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be retained.V-206455LOWThe Central Log Server must be configured to perform analysis of log records across multiple devices and hosts in the enclave that can be reviewed by authorized individuals.V-206456LOWThe Central Log Server must be configured to perform on-demand filtering of the log records for events of interest based on organization-defined criteria.V-206457LOWThe Central Log Server must be configured to use internal system clocks to generate time stamps for log records.V-206458LOWThe Central Log Server must be configured to back up the log records repository at least every seven days onto a different system or system component other than the system or component being audited.V-206459LOWThe Central Log Server system backups must be retained for a minimum of 5 years for SAMI (Sources and Methods Information) and a minimum of 7 days for non-SAMI on media capable of guaranteeing file integrity for the minimum applicable information retention period.V-206460HIGHThe Central Log Server must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).V-206461MEDIUMThe Central Log Server must use multifactor authentication for network access to privileged user accounts.V-206462MEDIUMThe Central Log Server must use multifactor authentication for network access to non-privileged user accounts.V-206463MEDIUMThe Central Log Server must use multifactor authentication for local access using privileged user accounts.V-206464MEDIUMThe Central Log Server must be configured to use multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access.V-206465MEDIUMThe Central Log Server must use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.V-206466MEDIUMThe Central Log Server must disable accounts (individuals, groups, roles, and devices) after 35 days of inactivity.V-206467MEDIUMThe Central Log Server must be configured to enforce a minimum 15-character password length.V-206469LOWThe Central Log Server must be configured to enforce password complexity by requiring that at least one uppercase character be used.V-206470LOWThe Central Log Server must be configured to enforce password complexity by requiring that at least one lowercase character be used.V-206471LOWThe Central Log Server must be configured to enforce password complexity by requiring that at least one numeric character be used.V-206472LOWThe Central Log Server must be configured to enforce password complexity by requiring that at least one special character be used.V-206473LOWThe Central Log Server must be configured to require the change of at least eight of the total number of characters when passwords are changed.V-206474HIGHFor accounts using password authentication, the Central Log Server must be configured to store only cryptographic representations of passwords.V-206475HIGHFor accounts using password authentication, the Central Log Server must use FIPS-validated SHA-1 or later protocol to protect the integrity of the password authentication process.V-206476LOWThe Central Log Server must be configured to enforce 24 hours/1 day as the minimum password lifetime.V-206477LOWThe Central Log Server must be configured to enforce a 60-day maximum password lifetime restriction.V-206478HIGHThe Central Log Server, when utilizing PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.V-206479HIGHThe Central Log Server, when using PKI-based authentication, must enforce authorized access to the corresponding private key.V-206480LOWThe Central Log Server must map the authenticated identity to the individual user or group account for PKI-based authentication.V-206481HIGHThe Central Log Server must obfuscate authentication information during the authentication process so that the authentication is not visible.V-206482HIGHThe Central Log Server must use FIPS-validated SHA-1 or higher hash function to protect the integrity of keyed-hash message authentication code (HMAC), Key Derivation Functions (KDFs), Random Bit Generation, hash-only applications, and digital signature verification (legacy use only).V-206483MEDIUMThe Central Log Server must be configured to perform audit reduction that supports on-demand reporting requirements.V-206484LOWFor devices and hosts within its scope of coverage, the Central Log Server must be configured to notify the system administrator (SA) and information system security officer (ISSO) when account modification events are received.V-206485LOWFor devices and hosts within its scope of coverage, the Central Log Server must notify the system administrator (SA) and information system security officer (ISSO) when events indicating account disabling actions are received.V-206486LOWFor devices and hosts within its scope of coverage, the Central Log Server must notify the System Administrator (SA) and Information System Security Officer (ISSO) when events indicating account removal actions are received.V-206491MEDIUMThe Central Log Server must be configured to off-load log records onto a different system or media than the system being audited.V-206492LOWThe Central Log Server must be configured to send an immediate alert to the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated log record storage volume reaches 75 percent of the repository maximum log record storage capacity.V-206493LOWFor the host and devices within its scope of coverage, the Central Log Server must be configured to send a real-time alert to the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) of all audit failure events, such as loss of communications with hosts and devices, or if log records are no longer being received.V-206495LOWThe Central Log Server must be configured to perform on-demand sorting of log records for events of interest based on the content of organization-defined audit fields within log records.V-206496LOWThe Central Log Server must be configured to perform on-demand searches of log records for events of interest based on the content of organization-defined audit fields within log records.V-206497MEDIUMThe Central Log Server must be configured to perform audit reduction that supports on-demand audit review and analysis.V-206498LOWThe Central Log Server must be configured to perform audit reduction that supports after-the-fact investigations of security incidents.V-206499LOWThe Central Log Server must be configured to generate on-demand audit review and analysis reports.V-206500LOWThe Central Log Server must be configured to generate reports that support on-demand reporting requirements.V-206501LOWThe Central Log Server must be configured to generate reports that support after-the-fact investigations of security incidents.V-206502LOWThe Central Log Server must be configured to perform audit reduction that does not alter original content or time ordering of log records.V-206503LOWThe Central Log Server must be configured to generate reports that do not alter original content or time ordering of log records.V-206504LOWUpon receipt of the log record from hosts and devices, the Central Log Server must be configured to record time stamps of the time of receipt that can be mapped to Coordinated Universal Time (UTC).V-206505LOWThe Central Log Server must be configured to record time stamps for when log records are received by the log server that meet a granularity of one second for a minimum degree of precision.V-206506MEDIUMThe Central Log Server must be configured to accept the DoD CAC credential to support identity management and personal authentication.V-206507MEDIUMThe Central Log Server must be configured to electronically verify the DoD CAC credential.V-206509HIGHThe Central Log Server must be configured to protect the confidentiality and integrity of transmitted information.V-206510HIGHThe Central Log Server must implement NIST FIPS-validated cryptography for the following: to provision digital signatures; to generate cryptographic hashes; and/or to protect unclassified information requiring confidentiality and cryptographic protection.V-206511LOWThe Central Log Server must be configured to off-load interconnected systems in real time and off-load standalone systems weekly, at a minimum.V-206512MEDIUMThe Central Log Server must be configured to retain the identity of the original source host or device where the event occurred as part of the log record.V-206513MEDIUMThe Central Log Server that aggregates log records from hosts and devices must be configured to use TCP for transmission.V-206514MEDIUMThe Central Log Server must be configured to notify the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, when an attack is detected on multiple devices and hosts within its scope of coverage.V-206515MEDIUMThe Central Log Server must be configured to automatically create trouble tickets for organization-defined threats and events of interest as they are detected in real time (within seconds).V-206516MEDIUMFor devices and hosts within the scope of coverage, the Central Log Server must be configured to automatically aggregate events that indicate account actions.V-206517MEDIUMThe Central Log Server must be configured with the organization-defined severity or criticality levels of each event that is being sent from individual devices or hosts.V-206518MEDIUMAnalysis, viewing, and indexing functions, services, and applications used as part of the Central Log Server must be configured to comply with DoD-trusted path and access requirements.V-221900MEDIUMThe Central Log Server must automatically audit account creation.V-221901MEDIUMThe Central Log Server must automatically audit account modification.V-221902MEDIUMThe Central Log Server must automatically audit account disabling actions.V-221903MEDIUMThe Central Log Server must automatically audit account removal actions.V-221904MEDIUMThe Central Log Server must enforce the limit of three consecutive invalid logon attempts by a user during a 15 minute time period.V-221905LOWThe Central Log Server must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the Central Log Server.V-221906LOWThe Central Log Server must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.V-221907LOWThe Central Log Server must initiate session auditing upon startup.V-221908LOWThe Central Log Server must produce audit records containing information to establish what type of events occurred.V-221909LOWThe Central Log Server must produce audit records containing information to establish when (date and time) the events occurred.V-221910LOWThe Central Log Server must produce audit records containing information to establish where the events occurred.V-221911LOWThe Central Log Server must produce audit records containing information to establish the source of the events.V-221912LOWThe Central Log Server must produce audit records that contain information to establish the outcome of the events.V-221913LOWThe Central Log Server must generate audit records containing information that establishes the identity of any individual or process associated with the event.V-221914MEDIUMThe Central Log Server must protect audit information from any type of unauthorized read access.V-221915MEDIUMThe Central Log Server must protect audit information from unauthorized modification.V-221916MEDIUMThe Central Log Server must protect audit information from unauthorized deletion.V-221917MEDIUMThe Central Log Server must protect audit tools from unauthorized access.V-221918MEDIUMThe Central Log Server must protect audit tools from unauthorized modification.V-221919MEDIUMThe Central Log Server must protect audit tools from unauthorized deletion.V-221920MEDIUMThe Central Log Server must be configured to disable non-essential capabilities.V-221921LOWThe Central Log Server must notify system administrators and ISSO when accounts are created.V-221922MEDIUMThe Central Log Server must automatically terminate a user session after organization-defined conditions or trigger events requiring session disconnect.V-221923MEDIUMThe Central Log Server must provide a logout capability for user initiated communication session.V-221924LOWThe Central Log Server must display an explicit logout message to users indicating the reliable termination of authenticated communications sessions.V-221925MEDIUMThe Central Log Server must automatically lock the account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded.V-221926LOWThe Central Log Server must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.V-221927MEDIUMThe Central Log Server must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.V-221928MEDIUMThe Central Log Server must generate audit records when successful/unsuccessful logon attempts occur.V-221929HIGHThe Central Log Server must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (non-legacy use).V-241819LOWThe System Administrator (SA) and Information System Security Manager (ISSM) must configure the retention of the log records based on criticality level, event type, and/or retention period, at a minimum.V-241820LOWThe Central Log Server must be configured so changes made to the level and type of log records stored in the centralized repository must take effect immediately without the need to reboot or restart the application.V-263557MEDIUMThe Central Log Server must disable accounts when the accounts are no longer associated to a user.V-263558MEDIUMThe Central Log Server must implement the capability to centrally review and analyze audit records from multiple components within the system.V-263559MEDIUMThe Central Log Server must implement an audit reduction capability that supports on-demand audit review and analysis.V-263560MEDIUMThe Central Log Server must implement an audit reduction capability that supports on-demand reporting requirements.V-263561MEDIUMThe Central Log Server must implement an audit reduction capability that supports after-the-fact investigations of incidents.V-263562MEDIUMThe Central Log Server must implement a report generation capability that supports on-demand audit review and analysis.V-263563MEDIUMThe Central Log Server must implement a report generation capability that supports on-demand reporting requirements.V-263564MEDIUMThe Central Log Server must implement a report generation capability that supports after-the-fact investigations of incidents.V-263565MEDIUMThe Central Log Server must implement an audit reduction capability that does not alter original content or time ordering of audit records.V-263566MEDIUMThe Central Log Server must implement a report generation capability that does not alter original content or time ordering of audit records.V-263567MEDIUMThe Central Log Server must implement the capability to process, sort, and search audit records for events of interest based on organization-defined audit fields within audit records.V-263568MEDIUMThe Central Log Server must alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.V-263569MEDIUMThe Central Log Server must implement the capability for organization-defined individuals or roles to change the auditing to be performed on organization-defined system components based on organization-defined selectable event criteria within organization-defined time thresholds.V-263570MEDIUMThe Central Log Server must automatically generate audit records of the enforcement actions.V-263571MEDIUMThe Central Log Server must prevent the installation of organization-defined software and firmware components without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.V-263572MEDIUMThe Central Log Server must require users to be individually authenticated before granting access to the shared accounts or resources.V-263573MEDIUMThe Central Log Server must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.V-263574MEDIUMThe Central Log Server must for password-based authentication, maintain a list of commonly used, expected, or compromised passwords on an organization-defined frequency.V-263575MEDIUMThe Central Log Server must for password-based authentication, update the list of passwords on an organization-defined frequency.V-263576MEDIUMThe Central Log Server must for password-based authentication, update the list of passwords when organizational passwords are suspected to have been compromised directly or indirectly.V-263577MEDIUMThe Central Log Server must for password-based authentication, verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).V-263578MEDIUMThe Central Log Server must for password-based authentication, require immediate selection of a new password upon account recovery.V-263579MEDIUMThe Central Log Server must for password-based authentication, allow user selection of long passwords and passphrases, including spaces and all printable characters.V-263580MEDIUMThe Central Log Server must for password-based authentication, employ automated tools to assist the user in selecting strong password authenticators.V-263581MEDIUMThe Central Log Server must for public key-based authentication, implement a local cache of revocation data to support path discovery and validation.V-263582MEDIUMThe Central Log Server must include only approved trust anchors in trust stores or certificate stores managed by the organization.V-263583MEDIUMThe Central Log Server must provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store.V-263584MEDIUMThe Central Log Server must synchronize system clocks within and between systems or system components.V-263585MEDIUMThe Central Log Server must compare the internal system clocks on an organization-defined frequency with organization-defined authoritative time source.V-278988HIGHThe Central Log Server must install security-relevant software updates within 30 days unless the time period is directed by an authoritative source (e.g., IAVM, CTOs, DTMs, STIGs).V-278989HIGHThe Central Log Server must be a version supported by the vendor.