NIST 800-171 • LEVEL 2 • AUDIT AND ACCOUNTABILITY
3.3.3 — Audit Record Generation
Generate audit records for the selected event types and audit record content specified in 03.03.01 and 03.03.02. Retain audit records for a time period consistent with the records retention policy.
CMMC Practice Mapping
NIST 800-53 Controls
Assessment Objectives
- audit records for the selected event types and audit record content specified in 03.03.01 and 03.03.02 are generated.
- audit records are retained for a time period consistent with the records retention policy.
Practitioner Notes
Once you've defined what to log and what details to capture, you need to make sure the system is actually generating those records and that you're keeping them long enough. If your logs only go back a week, they won't help you investigate an incident that started three months ago.
Example 1: In Windows, configure the Security Event Log size and retention via GPO at Computer Configuration → Windows Settings → Security Settings → Event Log → Security Log → "Maximum security log size" to at least 1 GB, and set "Retention method for security log" to "Overwrite events as needed" — but only if you are forwarding logs to a centralized SIEM first. Without a SIEM, set it to "Do not overwrite events" and manage log rotation manually.
Example 2: Deploy a centralized log collector like Splunk, Graylog, or Microsoft Sentinel that aggregates logs from all systems. In Splunk, go to Settings → Indexes → Create Index and set the retention period to at least 365 days. Configure Windows Event Forwarding (WEF) or install Splunk Universal Forwarder on all endpoints to push logs to the central collector in near real-time.