NIST 800-53 REV 5 • AUDIT AND ACCOUNTABILITY
AU-4(1) — Transfer to Alternate Storage
Transfer audit logs {{ insert: param, au-04.01_odp }} to a different system, system component, or media other than the system or system component conducting the logging.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
No related controls listed
Supplemental Guidance
Audit log transfer, also known as off-loading, is a common process in systems with limited audit log storage capacity and thus supports availability of the audit logs. The initial audit log storage is only used in a transitory fashion until the system can communicate with the secondary or alternate system allocated to audit log storage, at which point the audit logs are transferred. Transferring audit logs to alternate storage is similar to [AU-9(2)](#au-9.2) in that audit logs are transferred to a different entity. However, the purpose of selecting [AU-9(2)](#au-9.2) is to protect the confidentiality and integrity of audit records. Organizations can select either control enhancement to obtain the benefit of increased audit log storage capacity and preserving the confidentiality, integrity, and availability of audit records and logs.
Practitioner Notes
If your primary log storage fills up, have a plan to transfer logs to alternate storage. Logs should never be lost due to capacity issues.
Example 1: Configure your SIEM to automatically archive older logs to cheaper storage. In Splunk, set up Index Lifecycle Management to move data from hot to warm to cold to frozen storage. Frozen data can be stored on S3 or Azure Blob at a fraction of the cost of fast storage.
Example 2: For Windows Event Logs, configure the retention method to Archive the log when full, do not overwrite events. Pair this with a scheduled task that moves archived log files to a network share nightly. Monitor the share's disk space and alert at 80% utilization.