NIST 800-53 REV 5 • AUDIT AND ACCOUNTABILITY
AU-12(3) — Changes by Authorized Individuals
Provide and implement the capability for {{ insert: param, au-12.03_odp.01 }} to change the logging to be performed on {{ insert: param, au-12.03_odp.02 }} based on {{ insert: param, au-12.03_odp.03 }} within {{ insert: param, au-12.03_odp.04 }}.
Supplemental Guidance
Permitting authorized individuals to make changes to system logging enables organizations to extend or limit logging as necessary to meet organizational requirements. Logging that is limited to conserve system resources may be extended (either temporarily or permanently) to address certain threat situations. In addition, logging may be limited to a specific set of event types to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which logging actions are changed (e.g., near real-time, within minutes, or within hours).
Practitioner Notes
Authorized individuals should be able to change what is being logged — adding new event types or increasing logging detail — when operational needs require it.
Example 1: During an active incident, enable enhanced logging on affected systems: turn on PowerShell transcription, enable file access auditing on sensitive shares, and increase firewall log verbosity. Use a pre-built incident logging GPO that you can link quickly to the affected OUs. Document the change and revert after the investigation.
Example 2: In your SIEM, give senior analysts the ability to modify data collection on the fly. In Splunk, they can enable debug-level logging on specific forwarders or add new data inputs. In Sentinel, they can adjust the data connector settings to collect additional log categories. Document all changes in your change management system.