UCSC Information Technology Services
Log collection and review is an important component of an information security program. The following provides guidance regarding types of logs that should be enabled and reviewed, frequency of review, and escalation procedures.
UCSC's Information Security Officer (ISO) reviews and updates these procedures periodically in response to changes in industry standards, law, regulation, or UC/UCSC policy.
- failed and successful logins
- modification of security settings
- privileged use or escalation of privileges
- system events
- modification of system-level objects
- session activity
- account management activities including password changes (success and failure)
- policy change
- workstation firewalls
- anti-virus/anti-malware product
- applications such as web servers
The following information should be captured for each of the above items as feasible:
- Date and time of activity
- For connection logs: peer IP address
- Identification of user performing activity
- Description of attempted or completed activity
- Application logs:
- client requests and server responses
- abnormal usage, e.g. number of transactions, usage spikes, etc.
- abnormal application behavior, including repeated application restart
- data modification where required for regulatory compliance
- All information collected in (1) above
- Other indicators of suspicious activity, such as configuration changes, successful and failed access attempts, the presence of threats identified by vendor databases or signatures. Examples include:
- Remote management tools, e.g. TEM/BigFix: Review patch logs, installation history, and vulnerability status, including known vulnerabilities and missing patches
- Routers: Review configuration changes, login attempts, interface usage and error events for evidence of anomalous activity.
- Firewalls: Check for abnormalities, failed inbound and outbound connection attempts; additional investigation upon detection of abnormalities/compromises
- Intrusion Detection System (IDS): Look for abnormalities such as suspicious behavior and detected attacks. Investigate or escalate for investigation as appropriate.
- Configuration Control Applications, e.g. Tripwire: Review application configuration changes
3. Frequency of review
The System Steward is responsible for defining and ensuring appropriate log monitoring. Available logs should be reviewed in response to suspected or reported security problems. See the UCSC Information Security Log Policy for specific requirements.
Default retention for logs is 90 days. The retention period may be shortened or lengthened according to business need, law, regulations, University policy, or technical constraints such as capacity limitations.
- See campus Security Incident Reporting Procedures for details. ITS staff are to follow ITS' Response Procedures for Compromised Computers for issues potentially involving compromised computers.
- Indicate whether restricted data is involved.
- When escalating to Security, save logs until you receive further instructions from Security. If relevant logs may expire, make a static copy to preserve them. Small log extracts may be attached directly to the IT Request ticket if they do not contain restricted data.
6. Appropriate use and protection of log information
Logs must be accessed, secured and protected according to the nature of the information they may contain. While it is necessary for the University to perform regular collection and monitoring of logs, this activity must be consistent with the provision of least perusal described in ITS' Routine System Monitoring Practices and the UC Electronic Communications Policy.
- For additional log review information and recommendations, see Log Management for the University of California: Issues and Recommendations
- ITS' Routine System Monitoring Practices
- UCSC Information Security Log Policy
8. Getting help
For questions or assistance with these procedures, or to escalate issues to IT Security, contact the ITS Support Center at itrequest.ucsc.edu, email@example.com, 459-HELP, or in person M-F 8AM-5PM, 54 Kerr Hall.