Which is totally fine. Auditors aren't going to care what your log service is. They might, on the other hand, ask you to show evidence of, like, a log line when someone accesses the admin console. You want that to be easy to generate and, just as importantly, you want the process of obtaining that log line to be easy to describe: "go to this one place, type in this one query, save the result". In a perfect world, you want the answers to lots of auditor questions to be the same, perhaps modulo the "one query" you type in to generate the result.
This isn't because the auditor is going to care whether you have to log into 15 different hosts to grep for 20 different log lines; they have no idea what "grep" even is. It's because it's a lot of work to document 15 different processes coherently.
This idea is the basic lens through which people should be reading our recommendations here.
This isn't because the auditor is going to care whether you have to log into 15 different hosts to grep for 20 different log lines; they have no idea what "grep" even is. It's because it's a lot of work to document 15 different processes coherently.
This idea is the basic lens through which people should be reading our recommendations here.