Log Management
On This Page
Service Summary
Log management is a security service which collects log files (authentication, system, and application, etc.) in near real time. These logs allow our security information and event management (SIEM) tool to make correlations and provide us with insights that are usually lost in the volume of log data received. This intelligence is helpful in security work, auditing, and general IT troubleshooting. Regardless of personal use cases for this service, if nothing else sending logs to the SIEM can allow us to improve cybersecurity on campus. In support of cross UC collaborations and supporting UCSC scholarly advancement, we are enabling some other use of the ELK cluster, contact husmith@ucsc.edu for more information.
Log Management service offerings include: send logs, get privileged account alerts and or reports, become a SIEM power user, and custom request.
Systems that contain P3- P4 information are required to align with Critical Security Controls (CSC)#6 and the UC IS-3 Electronic Information Security Policy.
For other applications and systems, it is recommended to align with CSC#6 and the UC IS-3.
Subscribing to the Log Management service, getting privileged account alerts/reports, and following these recommendations will align you to CSC #6 and the UC IS-3.
Alternately if you do not wish to subscribe to the service you are responsible for meeting the criteria as defined in CSC #6 and Appendix D of the UC IS-3 through your own means.
Features & Functions
- Sending Logs Sending logs is a low effort step that System, Database, and Application Admins and owners can take to help safeguard their assets and improve campus security as a whole. For this service, you are providing data to the Core Tech Security team and will only be contacted by security in the event of an issue. This guide provides the needed information to send logs (must be connected to UCSC network to view)
- Get Alerts and/or Reports To get alerts which are near real-time or reports for designated frequency, Security must be receiving logs and will need to know which privileged accounts want reports and or alerts on and the parameters. For instance, if you want to know if anyone logs into a certain user account, outside of the US, outside of certain working hours, etc.
- Make me a Power User Becoming a power user in our SIEM will allow you to customize alerts and reports to your needs. This option is for experienced users who are looking at tailoring SIEM features for use for their assets or group.
- Custom Request or Consulting Request Custom requests are for anything SIEM related that is not defined above. We are in the early implementation of this tool and are barely scratching the surface of capabilities. Here are our current capabilities and the defined roadmap for this tool. We are always interested in how users want to use the tool and the problems they are trying to solve so feel free to send your request and we will be glad to evaluate it or advise if it can be added to the roadmap.
Eligibility for Service
University-owned, managed or affiliated systems are eligible for this service. The service can be requested by anyone who is an application or system owner or has a need to know. System owner verification is required.
Requesting the Service
Please note this is a short-term process. We are awaiting a service creation in SlugHub or a web form.
A User should request their desired service via SlugHub get help For the service select Security (Physical, IT & Policy) and Log Management as seen in Figure 1 below. In your message, please indicate the service you desire, your role, host and IP, the log types you are interested in and any other information you see fit. Services available are sent logs, get privileged account alerts and or reports, become a SIEM Power User, and Custom Request.
Figure 1
Your SlugHub ticket will be assigned within eight working hours. You will be contacted for additional information if needed.
Availability, Metrics & Statistics
The Security Service Team availability is typically Monday-Friday, 8AM-5PM, However, logs are collected in near real time and should not interfere with business operations. Alerts are sent near real-time so they can occur at any time. Power users can also access the SIEM at any time.
Self-Service Support
- For detailed help on submitting logs look at our guide. Here are our current capabilities and the defined roadmap for this tool.
-
Thinking about how you can leverage this tool? Check out this article for ideas on different logs to capture!
-
For more information on how our log management service aligns
to best practice guidelines (Critical Security Controls) click here -
The security team provides a UCSC-specific user guide for the SIEM tool and can provide training customized to your needs upon request.
Getting Help
For other issues or help, please create a support ticket in SlubHub. Select Security (Physical, IT & Policy) for the service and Log Management for the System Application as seen in Figure 2 below.
Figure 2
Your SlugHub ticket will be assigned within eight working hours. You will be contacted for additional information if needed.
Cost
This service is a campus-funded, so no charge to you. Costs (charge-back) may be incurred for any non-standard or in-depth type of consultation or special request.