Skip to Content

Information Security Office

Return to previous webpage

Log Management Guidelines

This guideline delineates the process for required retention of computer system and application logs. The monitoring of computer system and application logs plays a critical role in securing information resources and aiding in detecting unauthorized system activities, performance monitoring and incident investigation.  At the same time, maintenance and review of logs takes considerable resources and must be balanced against the benefit accrued in mitigation of information security risk.

Logging Requirements

The Information Security Officer will provide a list of all computer system and application logs that must be kept to all applicable campus system and application managers. In addition, the ISO will define the required form for those logs, the method and timing of log retention, and the required availability of such logs for audit and review. Audit logs must contain at minimum, the event/application/process, user ID, date and time for key events.  If required, audit logs should also identify terminal, location, network addresses and protocols. 
In identifying log requirements, the Information Security Officer will also assess the availability of physical and staff resources available for log maintenance, as well as the resources available for audit and review of logs.
Key functions that are typically logged are:

  • Records of successful and failed system access attempts;

  • Records of failed data and other resources access attempts;

  • Changes to system configuration;

  • Use of elevated privileges;

  • Use of system utilities and applications;

  • Alarms raised by the access control system;

  • Changes to protection systems (e.g. firewall, anti-virus, and intrusion detection systems);

  • Additional events identified by the vendor or system administrator.

Monitoring Logs

The risk level of a system, as determined by the ISO, determines its monitoring frequency requirements.  All required logging systems must undergo at least an annual risk assessment review to ensure that systems follow the appropriate monitoring requirements. Systems or processes with higher risk factors may be required to undergo more frequent review and assessment. Risk factors considered include:

  • Criticality of business process;

  • Information classification associated with the system;

  • Past experience or understanding of system vulnerabilities;

  • System exposure (e.g. open at the border firewall.)

Monitoring best practice requires regular review and analysis of required log files, as well as appropriate follow-up.  Daily log monitoring is required for both critical systems, systems containing Level 1 protected information, or systems exposed through the border firewall.  The ISO may define log harvesting, parsing, alerting tools or similar required functions to achieve appropriate levels of review.
The minimum requirement for other required logs is at least weekly log monitoring.  At a minimum log monitoring must:

  • Test to ensure log triggers are appropriately configured;

  • Periodically test to ensure log triggers are not compromised;

  • Identify faults for further analysis and remediation steps;

  • Review fault logs to ensure proper resolution or mitigation of identified faults.

Retention and Protection of Log Information

Required log information is typically required to be retained for six months.
Log information must be protected from tampering or modification on systems through ‘need to know’ file access or appropriate security control.  Systems with Level 1 protected information must store logs on a secure secondary system.

Clock Synchronization

All event generating applications must synchronize to the campus time servers, ntp.csus.edu.