NIST 800-53 REV 5 • AUDIT AND ACCOUNTABILITY

AU-4Audit Log Storage Capacity

Allocate audit log storage capacity to accommodate {{ insert: param, au-04_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability.

Practitioner Notes

Make sure you have enough storage for your audit logs. If your log storage fills up and starts dropping events, you have a blind spot. Size your storage based on your actual log volume, not a guess.

Example 1: Calculate your daily log volume by checking your SIEM's ingestion rate for a week. Multiply by your retention requirement (90 days online + archive). Add 30% headroom. For Splunk, check Settings → Licensing → Usage Report to see daily indexing volume. Size your storage accordingly.

Example 2: Set up monitoring alerts on your log storage. In Splunk, create a saved search that alerts when disk usage exceeds 80%. In Windows Event Log, configure the maximum log size and retention policy via GPO at Computer Configuration → Administrative Templates → Windows Components → Event Log Service → Security → "Maximum Log Size (KB)" to at least 1048576 KB (1 GB).

More Audit and Accountability Controls

AU-1 Policy and Procedures AU-2 Event Logging AU-2(1) Compilation of Audit Records from Multiple Sources AU-2(2) Selection of Audit Events by Component