You are here

Log Management

See the Log Management Standard in the University's Information Security policy for specific requirements that you must follow.

Standard and Process

University IT resources must have log management to help detect unauthorized activities on the system. The unit or individual directly responsible for the data or system must ensure that the system has the appropriate log configuration, log retention, and log analysis. Timely action must be taken in response to the identification of a potential security event in the logs.

Log Configuration

  • Configure logs to be of sufficient size to reconstruct key events such as:
    • individual access to private data (e.g., file system, application)
    • actions taken by an individual with root or administrative privileges
    • ATA Secure Erase: Tool available on ATA disk drives
    • access to audit trails
    • invalid logical access attempts (e.g., authentication, ACL, missing web page, web server error)
    • use of identification and authentication mechanism
    • initialization of audit logs
    • use of privileges (e.g, sudo, UAC, elevated use of privileges)
    • activation and de-activation of protection systems, such as anti-virus and intrusion detection systems
  • Configure log entries to include:
    • user identification
    • type of event
    • date and time
    • success and failure indication
    • origination of the event
    • identity or name of affected private data, or system
    • network addresses and protocols
  • Synchronize the clock to the University’s time servers, ntp.umn.edu. The University’s NTP servers respond on the DNS anycast address.

Protection of Log Information

Protect the log information from unauthorized changes and operational problems. Save the logs to a separate secure log server or off-site secure media location via a one way process with limited administrative access.

Log Retention

Retain logs to meet the retention requirements per University data retention policy, applicable laws, or contractual agreements.

Log Analysis

Document the log analysis plan for your unit, including:

  • who is responsible for the log analysis
  • who is responsible for follow up when a potential security event is identified in the log
  • what schedule log analysis is performed on
  • what log review process/tools are used
  • where to document anomalies detected and actions taken to address the anomalies
  • how to track completion of the log review
  • who does the management review or sign off, if required

The log review should include:

  • identifying anomalies for further analysis and remediation steps
  • reviewing logs to ensure proper resolution or mitigation of identified anomalies
  • periodically testing to ensure log triggers and thresholds are appropriately configured and that log triggers are not compromised

Depending on the urgency with which the unauthorized activities need to be addressed, the actions taken should be carried out according to the controls related to change management, or by following general University information security incident response procedures (e.g., isolate computer) and/or other escalation processes.

IT Professionals and others who perform IT administrative functions on University IT resources responsibilities include:

Operating System Administrator

  • Configure logging for OS-level requirements
  • Provide logging service to applications running on the system
  • Review and respond to OS log anomalies

Application/Database/Web Administrator

  • Configure application/database/web application to log required items, using operating system/application provided logging mechanism
  • Review and respond to log anomalies

Network Engineers

  • Configure devices to log required items, using operating system provided logging mechanism
  • Review and respond to log anomalies

More Information

Document Owner: University Information Security

Document Approver: Brian Dahlin, University Information Security; Patton Fast, University Enterprise Architect

Effective Date: August 2010

Last Reviewed Date: November 2014