Standard and Process
See the specific requirements in the Log Management Standard in the University Policy library. The following supplements the requirements in University policy.
University IT resources must have log management to help detect unauthorized activities on the system. The unit or individual directly responsible for the data or system must ensure that the system has the appropriate log configuration, log retention, and log analysis. Timely action must be taken in response to the identification of a potential security event in the logs.
Configure logs to be of sufficient size to reconstruct key events such as:individual access to private data (e.g., file system, application)
- files accessed and the type of access
- record of the transactions executed by users in the application
- actions taken by an individual with elevated privileges (e.g., root or administrative)
- ATA Secure Erase: Tool available on ATA disk drives
- access to audit trails
- invalid logical access attempts (e.g., authentication, ACL, missing web page, web server error)
- use of identification and authentication mechanism
- initialization of audit logs
- use of privileges (e.g, sudo, UAC, elevated use of privileges)
- activation and de-activation of protection systems, such as anti-virus and intrusion detection systems
- changes to system configuration
- use of system utilities and applications
- alerts from access control system
Configure log entries to include:user identification
- type of event
- date and time
- success and failure indication
- origination of the event
- identity or name of affected private data, or system
- network addresses and protocols
Use the ISO standard date and time format:
YYYY (eg 1997)
Year and month:
YYYY-MM (eg 1997-07)
YYYY-MM-DD (eg 1997-07-16)
Complete date plus hours and minutes:
YYYY-MM-DDThh:mmTZD (eg 1997-07-16T19:20+01:00)
Complete date plus hours, minutes and seconds:
YYYY-MM-DDThh:mm:ssTZD (eg 1997-07-16T19:20:30+01:00)
Complete date plus hours, minutes, seconds and a decimal fraction of a
YYYY-MM-DDThh:mm:ss.sTZD (eg 1997-07-16T19:20:30.45+01:00)
YYYY = four-digit year
MM = two-digit month (01=January, etc.)
DD = two-digit day of month (01 through 31)
hh = two digits of hour (00 through 23) (am/pm NOT allowed)
mm = two digits of minute (00 through 59)
ss = two digits of second (00 through 59)
s = one or more digits representing a decimal fraction of a second
TZD = time zone designator (Z or +hh:mm or -hh:mm)
Synchronize the clock to the University’s time servers (ntp.umn.edu), or to a trusted external time source. The University’s NTP servers respond on the DNS anycast address.
Protection of Log Information
Protect the log information from unauthorized changes and operational problems. Save the logs to a separate secure log server or off-site secure media location via a one way process with limited administrative access.
Log content must be sent in original format. Log export and transport methods must comply with an approved log hosting service (e.g. syslog, Splunk universal forwarder).
Virtual machines are acceptable log hosting servers, provided the hypervisor has controls equal to or greater than the highest log security level stored on the log host.
Retain logs to meet the retention requirements per University data retention policy, applicable laws, or contractual agreements. Any logs that are part of pending or current litigation may not be destroyed, regardless of the record retention schedule. University units should securely dispose of logs once the retention period has been met.
Access logs (including authentication, authorization and use of privileged access) as well as critical system event logs are in scope for secure, long-term retention. Select application logs (such as PeopleSoft, Shibboleth) are considered in scope.
Document the log analysis plan for your unit, including:
- who is responsible for the log analysis
- who is responsible for follow up when a potential security event is identified in the log
- what schedule log analysis is performed on
- what log review process/tools are used
- where to document anomalies detected and actions taken to address the anomalies
- how to track completion of the log review
- who does the management review or sign off, if required
The log review should include:
- identifying anomalies for further analysis and remediation steps
- reviewing logs to ensure proper resolution or mitigation of identified anomalies
- periodically testing to ensure log triggers and thresholds are appropriately configured and that log triggers are not compromised
Use a security threat prioritization map or similar approach to determine which anomalies are high, medium, or low. This map may differ depending on the role and threats to the host/application.
Depending on the urgency with which the unauthorized activities need to be addressed, the actions taken should be carried out according to the controls related to change management, or by following general University information security incident response procedures (e.g., isolate computer) and/or other escalation processes.
An approved logging service must meet the High Security level requirements in the Information Security policy and may need an information security review by University Information Security. In addition the logging service must:
- ensure that it is logically/functionally isolated from other services
- prohibit modifications of logs
- establish and document a periodic review that log transmissions is successfully received
- ensure that log data is purged according to the Data Classification guidelines
- contact University Information Security for a complete list of the requirements.
Operating System Administrators are responsible for:
- configuring logging for OS-level requirements;
- providing logging service to applications running on the system; and
- reviewing and responding to OS log anomalies.
Application/Database/Web Administrators are responsible for:
- configuring application/database/web application to log required items, using operating system/application provided logging mechanism; and
- reviewing and responding to log anomalies.
Network Engineers are responsible for:
- configuring devices to log required items, using operating system provided logging mechanism; and
- reviewing and responding to log anomalies.
See the Information Security policy appendices for additional information security standards that also apply.
- This standard is based on the principles of ISO/IEC 27002:2013
- NIST 800-92 Guide to Computer Security Log Management
- NIST 800-66 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, lists HIPAA-related log management needs including need to perform regular review of audit logs and access reports; retention period.