NIST 800-171 • LEVEL 2 • AUDIT AND ACCOUNTABILITY
3.3.4 — Response to Audit Logging Process Failures
Alert organizational personnel or roles within {{ insert: param, A.03.03.04.ODP.01 }} in the event of an audit logging process failure. Take the following additional actions: {{ insert: param, A.03.03.04.ODP.02 }}.
CMMC Practice Mapping
NIST 800-53 Controls
Assessment Objectives
- organizational personnel or roles are alerted in the event of an audit logging process failure within {{ insert: param, A.03.03.04.ODP.01 }}.
- the following additional actions are taken: {{ insert: param, A.03.03.04.ODP.02 }}.
Practitioner Notes
If your logging stops working and nobody notices, you could be blind to an active attack. This practice requires you to detect when logging fails and alert the right people immediately so they can fix it.
Example 1: In your SIEM (e.g., Microsoft Sentinel), create an alert rule under Analytics → Create → Scheduled Query Rule that detects when a monitored endpoint stops sending logs. Use a query like: Heartbeat | summarize LastHeartbeat = max(TimeGenerated) by Computer | where LastHeartbeat < ago(30m). Set the alert to email your SOC or IT admin when a machine goes silent for more than 30 minutes.
Example 2: On your Windows servers, configure the Windows Event Log service to alert on failure. In Group Policy, go to Computer Configuration → Windows Settings → Security Settings → System Services → "Windows Event Log" and set the startup type to Automatic. Then create a scheduled task via Task Scheduler → Create Task → Trigger on Event → System log, Source: EventLog, Event ID 6008 (unexpected shutdown) that sends an email alert to your IT team.