AU-2(2) — Selection of Audit Events by Component

Each system component should be able to select which events it audits. You need granular control over what gets logged, not just an all-or-nothing switch.

Example 1: Windows Advanced Audit Policy gives you exactly this — 58 sub-categories you can individually set to Success, Failure, both, or neither. This is far more granular than the basic 9-category audit policy. Always use Advanced Audit Policy Configuration rather than the basic policy to avoid conflicts.

Example 2: On your Palo Alto firewall, configure logging per security rule. Critical rules (deny rules, rules allowing access to sensitive zones) should log at session start and end. Less critical rules (allow rules for general internet access) can log at session end only to reduce log volume while maintaining visibility.