This post shows how to build a practical, auditable compliance checklist for NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 Control AU.L2-3.3.2 (audit and logging): what policies to write, the technical controls to configure, how to collect and preserve evidence, and real-world small-business examples to make the work actionable immediately.
Understanding AU.L2-3.3.2: objectives and scope
AU.L2-3.3.2 requires creating and retaining system audit records to support monitoring, analysis, investigation, and remediation of inappropriate or unauthorized activity. For a Compliance Framework implementation this means you must define a logging policy, identify required log sources, configure technical collectors and protections, tune monitoring/alerts, and preserve evidence in an auditable, tamper-evident way.
Checklist: policy, roles, and governance
Start by documenting a Logging and Audit Policy tailored to your Compliance Framework mapping. The policy should at minimum state: log types to capture (authentication, privilege elevation, configuration changes, remote access, firewall/NAT), retention goals (e.g., accessible logs 90 days, archived logs 1 year — adjust per organizational risk), responsible owners (System Owner, IT Admin, InfoSec Officer), access rules (who can read/clear logs), and an evidence retention process for assessments and incident investigations. Include a short runbook for how to produce evidence (export formats, hashing, packaging, and chain-of-custody).
Practical implementation detail
For a small business using the Compliance Framework, map policy points to specific assets: label log sources (AD controllers, domain-joined workstations, Linux servers, cloud accounts, firewall/VPN, MDM). Assign each source a configuration owner and a scheduled audit to ensure the source is still sending logs to the collector. Keep the policy simple and version-controlled (store in your document repository with signatures from management).
Technical controls: collecting and protecting logs
Implement a central collection architecture: choose a lightweight SIEM or log collector (Elastic Stack, Splunk, Graylog, Wazuh) or managed cloud service (AWS CloudWatch/CloudTrail, Azure Monitor, GCP Cloud Audit Logs). For Windows: enable Advanced Audit Policy via Group Policy (Audit logon/logoff, Object Access, Privilege Use, Policy Change) and forward events using Windows Event Forwarding (WinRM 5985/5986 or HTTPS) or a Winlogbeat to the SIEM. For Linux: enable auditd rules (/etc/audit/audit.rules) for critical files and user actions and forward via rsyslog-ng/syslog over TLS (TCP 6514). For network devices, configure syslog to send normalized messages to the collector over TLS; for cloud accounts, enable multi-region CloudTrail, set CloudTrail to log global events, and send trails to an S3 bucket with MFA delete and lifecycle rules.
Technical configuration specifics
Examples of specific settings: set Windows Security log size large enough (e.g., 100–500 MB) and configure retention to not overwrite quickly; on Linux set auditd max_log_file action to rotate and rsyslog to use TCP/TLS to the collector. Enforce NTP time sync (chrony or ntpd) across all machines and store logs in UTC. Protect transport with TLS and mutual authentication where possible, enforce RBAC on the SIEM so only named roles can purge logs, and enable immutability/WORM for archived logs (e.g., S3 Object Lock or FIle system snapshots).
Retention, integrity, and access controls
Decide retention based on risk and contract requirements; while NIST 800-171 does not mandate fixed durations, a common small-business starting point is 90 days of hot-access logs and 1–3 years of archived logs stored encrypted offsite. For integrity: capture cryptographic hashes (SHA-256) of exported log bundles, maintain separate storage for hashes, and optionally use digital signatures or timestamping. Limit and log access to the log store—record who requested exports and include that activity in the evidence package.
Monitoring, alerting, and evidence collection
Define a small set of high-fidelity alerts to detect unauthorized access and configuration changes: repeated failed logins followed by a success, new privileged account creation, modifications to audit configuration, or large data transfers. Tune thresholds to reduce noise. For evidence, standardize artifacts you will produce for each control: exported log files (EVTX, JSON, or plain text), SIEM query/alert screenshots, configuration snapshots (Group Policy settings, auditd rules, CloudTrail configuration), signed policy documents, incident tickets, and hashes/checksums. When exporting logs for an assessor or legal process, compute SHA-256, record who exported, and add a signed metadata file describing the extraction query/time range.
Chain-of-custody and preservation
If logs will serve in formal investigations or as contractual evidence, follow a simple chain-of-custody: export to a sealed storage location, compute a hash and record it in an evidence log, restrict access by ACL, and document each access. For small businesses without forensic teams, use an ISO timestamped archive and preserve the original export; do not alter the original logs. Keep a copy of the SIEM search query and the exact time range used to pull the evidence.
Small-business scenarios, risks, and best practices
Example scenario: a 15-person contractor uses a single AD server, 8 Windows workstations, 2 Linux servers, AWS hosting for an application that processes CUI. Minimal implementation: enable AD auditing (account logon, account management), centralize logs to a small Elastic cluster or managed CloudWatch logs, enable CloudTrail multi-region, set a 90-day hot retention and archive to encrypted S3 with lifecycle for 1 year, and document the logging policy with named owners. Risks of skipping this: inability to investigate breaches, losing CUI handling contracts, failed assessments, and fines or contractual penalties. Best practices: start with a small scope (critical accounts and CUI-bearing systems), automate log forwarding, and show evidence of policy + technical settings and periodic review.
Summary: to meet AU.L2-3.3.2 under your Compliance Framework, produce a concise logging policy, instrument critical systems with protected centralized logging, implement integrity and retention controls, tune monitoring and alerts, and package evidence with hashes and chain-of-custody notes. Begin with a targeted scope, build repeatable export/playbook steps, and iterate—auditors want consistent, demonstrable mappings from policy to technical configuration and preserved artifacts that show you can detect and investigate inappropriate activity.
