Information Technology Services

Log Policy and Procedures

Green dash

About this policy

Policy number: IT-0005

Effective date: 06/10/2012

Last updated: 08/02/2011

Responsible office: Information Technology Services

Print, or view a PDF

Policy

I. Purpose and scope

The purpose of this policy is to establish a requirement to enable and review logs on electronic information resources (eIRs) that contain, access or transmit data classified by UCSC as confidential or restricted. This requirement supports compliance with Federal HIPAA law, Payment Card Industry regulation, UC and UCSC recommendations and industry best practice. It applies to all individuals who maintain affected eIRs.

II. Definitions

The following terms used in this policy are defined in the IT Policy Glossary.

  • Confidential Data 
  • Electronic Information Resource
  • HIPAA
  • Payment Card Industry 
  • Restricted Data 
  • Subject Matter Expert 
  • System Steward

III. Detailed policy statement

1. Requirements

Procedures must be in place to ensure that access and activity is recorded and reviewed for all electronic information resources that contain, access or transmit data classified by UCSC as confidential or restricted.

  1. Logging must be enabled at the operating system, application/database, and system/workstation level.
  2. Logs must be reviewed in response to suspected or reported security problems on systems containing restricted data or as requested by IT Security.
  3. System Stewards are responsible for determining which systems require scheduled log review.
  4. Log review shall include investigation of suspicious activity, including escalation to IT Security (see GETTING HELP, below) or the campus incident response process as appropriate.
  5. Individuals shall not be assigned to be the sole reviewers of their own activity.

2. Responsibility

All individuals are responsible for following the above log requirements where applicable.

System Stewards, in consultation with Subject Matter Experts where appropriate, are responsible for determining the applicability of the above requirements to systems or data for which they are responsible. System Stewards are also responsible for ensuring implementation and enforcement of the above requirements where they are applicable.

3. Appropriate use and protection of log information

Logs must be accessed, secured and protected according to the nature of the information they may contain. While it is necessary for the University to perform regular collection and monitoring of logs, this activity must be consistent with the provision of least perusal described in ITS’ Routine System Monitoring Practices and the UC Electronic Communications Policy.

IV. Getting help

For questions about this policy, or to escalate an issue to IT Security, contact ITS.

V. Authority

The campus Vice Chancellor, Information Technology is the campus authority for the UCSC Log Policy. This policy was reviewed and approved by the Campus Provost/Executive Vice Chancellor on 06/10/2012.

Log procedures

Log collection and review is an important component of an information security program. The following provides guidance regarding types of logs that should be enabled and reviewed, frequency of review, and escalation procedures.

UCSC’s Information Security Officer (ISO) reviews and updates these procedures periodically in response to changes in industry standards, law, regulation, or UC/UCSC policy.

1. Enable logging and auditing at the OS, application/database, system, and workstation level. Enable logs for the following as available and technically feasible:

  1. failed and successful logins
  2. modification of security settings
  3. privileged use or escalation of privileges
  4. system events
  5. modification of system-level objects
  6. session activity
  7. account management activities including password changes (success and failure)
  8. policy change
  9. workstation firewalls
  10. anti-virus/anti-malware product
  11. applications such as web servers

The following information should be captured for each of the above items as feasible:

  1. Date and time of activity
  2. For connection logs: peer IP address
  3. Identification of user performing activity
  4. Description of attempted or completed activity
  5. Application logs:
    • client requests and server responses
    • abnormal usage, e.g. number of transactions, usage spikes, etc.
    • abnormal application behavior, including repeated application restart
    • data modification where required for regulatory compliance

2. Check the following when reviewing logs:

  1. All information collected in (1) above
  2. Other indicators of suspicious activity, such as configuration changes, successful and failed access attempts, the presence of threats identified by vendor databases or signatures. Examples include:
    • Remote management tools, e.g. TEM/BigFix: Review patch logs, installation history, and vulnerability status, including known vulnerabilities and missing patches
    • Routers: Review configuration changes, login attempts, interface usage and error events for evidence of anomalous activity.
    • Firewalls: Check for abnormalities, failed inbound and outbound connection attempts; additional investigation upon detection of abnormalities/compromises
    • Intrusion Detection System (IDS): Look for abnormalities such as suspicious behavior and detected attacks. Investigate or escalate for investigation as appropriate.
    • Configuration Control Applications, e.g. Tripwire: Review application configuration changes

3. Frequency of review
The System Steward is responsible for defining and ensuring appropriate log monitoring. Available logs should be reviewed in response to suspected or reported security problems. 

4. Retention
Default retention for logs is 90 days. The retention period may be shortened or lengthened according to business need, law, regulations, University policy, or technical constraints such as capacity limitations.

5. Escalate security-related issues, questions or concerns by contacting ITS.

  1. See campus Report a Security Incident for details. ITS staff are to follow ITS’ Response Procedures for Compromised Computers for issues potentially involving compromised computers.
  2. Indicate whether P-4 data is involved.
  3. When escalating to Security, save logs until you receive further instructions from Security. If relevant logs may expire, make a static copy to preserve them. Small log extracts may be attached directly to the SlugHub ticket if they do not contain P-4 data.

6. Appropriate use and protection of log information 
Logs must be accessed, secured and protected according to the nature of the information they may contain. While it is necessary for the University to perform regular collection and monitoring of logs, this activity must be consistent with the provision of least perusal described in ITS’ Routine System Monitoring Practices and the UC Electronic Communications Policy.

7. Additional information

  1. For additional log review information and recommendations, see Log Management for the University of California: Issues and Recommendations (PDF)
  2. ITS’ Routine System Monitoring Practices

8. Getting help 
For questions or assistance with these procedures, or to escalate issues by contacting ITS.

Related policy, procedures, and resources

Last modified: May 09, 2025