For any system requiring authentication, logon, failed logon and logoff events are logged.
Topic
Events to be logged
Applicable to
all
History
Priority
must
Mar 2022
Removed
The existing recommendation to monitoring account logons and logoffs (ISM-0584) was merged with recommendations regarding operating system event logging (ISM-0582). Furthermore, a new recommendation to monitor account lockouts (i.e. event ID 4740) was introduced. Finally, the existing recommendation to investigate account lockouts (ISM-0431) was rescinded as it is now more accurately covered by ISM-1747 relating to monitoring and responding to unusual operating system event logs – in this case instances of suspicious account lockouts.
2015
Agencies must log the following events for any system requiring authentication:• logons• failed logon attempts• logoffs.
2010
Agencies must log the following events for all software components:• logons• failed logon attempts• logoffs.