In order for Information Technology activity and audit logs to be useful, they must record sufficient information to serve the operational needs, preserve accountability, and detect malicious activity. This standard defines these events and content.


  1. All information systems will produce audit records for at least the following events:
    1. System startup and shutdown
    2. User logon and logoff
    3. Privilege escalation
    4. Account creation
    5. Password changes
  2. Information systems should produce audit records for the following event types, depending on system capabilities:
    1. Starting and stopping of processes and services
    2. Installation and removal of software
    3. System alerts and error messages
    4. System administration activities
    5. Access to and modification of Restricted Data
  3. Log records will include at least the following elements:
    1. Identifier of the system that generated the event
    2. Timestamp of the event
    3. The action or type of event and any relevant data
    4. Success or failure of the action
    5. The user associated with the event
    6. Remote address, if the event occurs over a network connection