Logging and Threat Management
This Practice Directve provides guidance on logging and threat management to SF State departments and operational units operating network devices, production servers as well as academic systems and servers.
Purpose and Scope
This Practice Directive is applicable to all SF State departments and operational units operating network devices, production servers as well as academic systems and servers. It outlines:
- the minimum level of monitoring and logging that must be in place for all campus servers
- the minimum event elements that must be logged
- a minimum retention period
- intervals and/or conditions for automated and human involved review and escalation
- recommended tools and configuration guidelines for implementation
- basic host and network threat management measures using log management tools (e.g. OSSEC)
All critical servers and devices must activate logging of the elements listed below (if available via the application or device) and retain such logs for a minimum of 45 days. Incident investigations, CSU records retention guidelines, subpoenas, departmental guidelines or other directives may dictate longer retention periods.
If available, and storage and processor capacity allows, the following elements should be captured for the system and critical applications running on the system:
- User/account identification
- Type of event
- Date and time
- Success or failure indication
- Program or utility used
- Origination of event (e.g., network address)
- Identity or name of affected data, information system or network resource
An automated log monitoring tool such as OSSEC is recommended for automated log alerting and additional host-based intrusion detection and Threat Management capability. Technical guidance regarding OSSEC's configuration can be found in the OSSEC Technical Implementation Guide: OSSEC Technical Implementation Guide.
Review & Escalation
System administrators should periodically review and share relevant data with their department IT staff, and as necessary, their management and the campus ISO when significant malicious or unauthorized activity is detected. Log data must be made available to the campus ISO upon request. Suspected attacks, and malicious or unauthorized activity should be reported to firstname.lastname@example.org or campus police as indicated at: Reporting a Security Incident or Vulnerability
Departments should use the review of log data to assess events that may be indicative of a threat or unauthorized activity. In addition to automated log monitoring, the recommended tool, OSSEC, provides additional host-based intrusion detection.