The policy decision on what events to audit is a deployer responsibility. However, all technical controls implied by this requirement are satisfied by the PCF platform.
When appropriately configured, the PCF platform audits all platform activity, and is compliant with this requirement. It is the responsibility of the deployer to configure an appropriate syslog destination, and also to leverage appropriate encryption and logical access controls for all audit data that is archived off-platform to an enterprise log management system.
PCF platform and application logs are synchronized to an enterprise provided time standard, and thus may be correlated with logs from other information systems as needed. The logging format for Cloud Controller and UAA follows the de-facto standard CEF logging format.
Additional information on specific audit capabilities can be found on the following pages:
The information system:
Audit records can be generated from many different information system components. The list of audited events is the set of events for which audits are to be generated. These events are typically a subset of all events for which the information system is capable of generating audit records.