System Log Review Guideline

Tags logging

OVERVIEW

System logs are essential for identifying, monitoring for, responding to, and preventing operational problems, security incidents, policy violation and fraudulent activity.  The System Logging Policy outlines the minimum processes that must be in place to ensure access and activity is recorded and reviewed to maintain compliance with university compliance requirements.

LOG CONTENT

Review the System Logging Standard and where technically possible, configure systems to record and retain the events.  The Center for Internet Security (CIS) provide prescriptive configuration recommendations for more than 25+ vendor product families.  Use CIS Benchmarks, where available, for guidance on applying system log configurations.

LOG REVIEW

Logs should be reviewed regularly to protect IT and data.  At a minimum, IT services containing regulated data should have their logs reviewed monthly or more frequrently if required by law, regulation, contract provisions, or industry standards.  Logs should be reviewed within a 24-hour period in response to suspected or reported security problems on systems or as requested by the Office of Information Technology. 

 

Access Logs

Access logs provide a view into how well access is controlled to systems and data.  Login failures and successes, including attempts to access disabled, service, non-existing, default, guest, or suspended accounts can provide insight into the security of systems.  We recommend monitoring for:

  • Multiple login failures followed by success by same account (this may require rule-based SIEM correlation to produce)
  • Privileged account access (success, failure) including administrator accounts, root, su use, RunAs use, or other system and platform relevant equivalents
  • Remote access logins (success, failure) including source IP address
  • File, network share or resource access (success, failure)

 

Change Reports

Change reports identify critical security changes to systems and network assets – configuration files, accounts, regulated and sensitive data or other components of the system/application.  We recommend monitoring for:

  • Additions, changes, or deletions to users and groups
  • Addition of accounts to administrator or privileged groups
  • Addition, changes, or deletions to network services
  • Changes to system files – binaries, configurations
  • Changes to other key files
  • Application installs, updates (success/failure) by system, application, user

 

Network Activity

Network activity can identify suspiciou system or network activity.  We recommend monitoring:

  • Outbound connections from internal and DMZ systems by source and destination
  • Internal systems listening on non-required ports such as deviation from baseline and least privilege
  • Top-talker internal systems as sources of multiple types of Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS) or Web Application Firewall (WAF) alerts
  • VPN network activity by user name, count of sessions
  • Wireless network activity, including rogue AP detection and rogue AP association logs

 

Database Access Logs

Database access logs identify access patterns and can be used for activity audit, trending, incident detection, reveal insider abuse/attack, or be useful for capacity planning.  We recommend monitoring for:

  • Database access (success/failure)
  • Summary of query types (excluding known application queries to detect anomalous database access)
  • Privileged database user access and activity
  • Users executing INSERT, DELETE database commands (excluding known application queries)
  • Users executing CREATE, GRANT, schema changes on a database
  • Summary of database backups