Policies & Procedures

Security Logging and Monitoring Standard

I. PURPOSE

This standard provides the core of the security log management framework used to detect security events that pose a threat to IT resources and data. The intent is to log events that may appear innocent in isolation, but when viewed as part of a pattern may be determined to be malicious.  Monitoring and logging are also crucial to security investigations and to ensure that IT security controls are in place and not being bypassed. 

 

II. DEFINITION  

  1. Core Business – Applications, systems, and network devices vital to the university’s mission and business functions that are dependent upon the services provided by the core infrastructure. 
  2. Core Infrastructure – Applications, systems and network devices that support other systems or applications by providing essential services. (Examples include Active Directory, DNS, DHCP, routers, switches, etc.) 
  3. Log – Is a record of the events occurring within an organization’s systems and networks. Logs contain information related to specific events that have occurred within a system or network. 
  4. Public-facing – Applications, systems, and network devices accessible from the internet and available to the public; also called customer facing. 
  5. Windows Event Viewer (WEL) – Tool to view Windows OS logged events as well as 3rd party software written to send logs to the Event Viewer. 

 

III. Standard 

     Requirements  

  1. System administrators will develop logging procedures for systems they administer. 
  2. Logging: 
    1. All Endpoints will be monitored, and logs collected through the detection and response platform.  
    2. Key Windows and syslog events to monitor: 
      1. Any changes to System files or folders ACLs. 
      2. Registry Changes. 
      3. Local and Domain Account changes. 
      4. Windows and SSH login success or failures. 
      5. Anti-virus logs. 
      6. Windows Event Log aggregation.  
      7. Access to network infrastructure. 
      8. Changes to ACLs on switches, router, or firewalls. 
      9. Web server access. 
      10. HTTP “404” errors. 
      11. FTP server access and file transfers. 
      12. Server security log events. 
    3. Key Windows Event logging categories to enable: 
      1. Logon events – Success/Failure. 
      2. Account logons – Success/Failure. 
      3. Account management – Success/Failure. 
      4. Directory Service access –Failure. 
      5. System events – Success/Failure. 
  3. Log Event Management Solution: 
    1. Logging facilities and log information will be protected against tampering and unauthorized access to include:  
      1. Alterations or deletions to logs that are recorded. 
      2. Storage capacity of the log file media being exceeded, resulting in the failure to record events or over-writing of past-recorded events. 
    2. Log Event Management must meet the following requirements: 
      1. Automate collection of log files. 
      2. Ability to query log data for specific log event activity for analysis. 
      3. Secure log aggregation and storage for Windows Event logs and syslog data from devices and OS’s. 
      4. Supports SQL and Oracle database log data. 
      5. Agent monitoring (Windows, MAC OS, and Linux). 
      6. Real-time monitoring. 
      7. Ability to create custom “alerts” for log monitoring. 
    3. NetFlow Data 
      1. Automatically collect NetFlow data from core router switches for analysis 
  4. Logs will be maintained according to the Library of Virginia Data Retention schedule. 

 

Approved by the CIO - October, 2023

Visit
Information Technology Services
on www.longwood.edu

Contact

Information Technology Services

French Hall

201 High Street

Farmville, VA 23909

(434) 395-4357

(434) 395-2034

Fax: (434) 395-2035