Detections
Analytics

3.1 Ensure detailed logging is enabled

Information

System logging must be configured to meet organizational security and privacy policies. Detailed logs provide the necessary context (event source, timestamp, user, network data) for incident response and forensic analysis. Modern logging strategies favor structured formats (JSON) over unstructured text to facilitate parsing by SIEM solutions.

Note: Sensitive information (e.g., session tokens, PII in query strings) should be excluded or masked in logs to prevent data leaks.

Detailed logs are the foundation of effective incident response. CIS Control 8.5 (\"Collect Detailed Audit Logs\") recommends capturing event sources, dates, users, timestamps, and network addresses. Traditional text logs require complex, fragile Regex parsing that breaks easily when formats change. Structured logging (JSON) solves this by providing a self-describing format that is natively ingested by modern analysis tools (SIEM), ensuring that critical forensic data is always indexable and searchable.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Define a detailed log format in the http block of /etc/nginx/nginx.conf . It is highly recommended to use JSON format for compatibility with modern SIEM tools.

Recommended Configuration (JSON):

http {
 log_format main_access_json escape=json '{'
 '\"timestamp\": \"$time_iso8601\",'
 '\"remote_addr\": \"$remote_addr\",'
 '\"remote_user\": \"$remote_user\",'
 '\"server_name\": \"$server_name\",'
 '\"request_method\": \"$request_method\",'
 '\"request_uri\": \"$request_uri\",'
 '\"status\": $status,'
 '\"body_bytes_sent\": $body_bytes_sent,'
 '\"http_referer\": \"$http_referer\",'
 '\"http_user_agent\": \"$http_user_agent\",'
 '\"x_forwarded_for\": \"$http_x_forwarded_for\",'
 '\"request_id\": \"$request_id\"'
 '}';

 # Apply the format globally or per server
 access_log /var/log/nginx/access.json main_access_json;
}

Legacy Configuration (Text-based):

If JSON is not feasible, ensure the text format captures all necessary fields:

log_format main_detailed '$remote_addr - $remote_user [$time_local] '
 '\"$request\" $status $body_bytes_sent '
 '\"$http_referer\" \"$http_user_agent\" '
 '\"$http_x_forwarded_for\"';

Impact:

Enabling detailed JSON logging increases the volume of log data. Ensure that your log rotation policies ( logrotate ) and disk space monitoring are adjusted to handle the increased storage requirements.

See Also

https://workbench.cisecurity.org/benchmarks/18528

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-3, 800-53|AU-3(1), 800-53|AU-7, 800-53|AU-12, CSCv7|6.3

Plugin: Unix

Control ID: e5afed0d049e79140ea53e64f7582868f7b86c33a647cf1bcf32c0a6a829ec81