UC Davis Cyber-Safety Program: Audit Logs
If you are a computer user within an academic or administrative department on campus, you may have a Technology Support Coordinator (TSC) who is working to secure your system. Before taking any of the security steps listed below, please check with your TSC.
From the UC Davis Cyber-Safety Program Policy:
Campus units must develop and implement a policy defining the use, inspection and retention of audit logs. Audit log inspection may permit the identification of unauthorized access to sensitive electronic communication records. The use of audit logs should be extended to document activities such as account use and the network source of the login, incoming and outgoing network connections, file transfers and transactions.
Information...
What is an audit log?
Audit logs allow computer administrators, such as campus TSCs, to get
a good idea of where visitors are coming from, how often they return,
and how they navigate through a site.
Why is this important?
Audit logs, when reviewed regularly, can be helpful in identifying potential
security breaches or issues. Audit logs for networked machines can show
illegitimate account access attempts, port scans, or malformed requests,
all of which may be an indication of an ongoing attack. Reviewing outgoing
logs from a firewall can provide an indication of a compromised machine
on your network. And logging access to confidential files permits administrators
to check for unauthorized access. Audit logs should contain the timestamp
of the event, as well as information such as user logins, destination
and source addresses, and the resource that was accessed. Using a centralized
logging system such as the Unix syslog package is recommended for ease
of administration and quick access to logs from different hosts or devices.
Campus sysadmins recommend...
- Log Management for the University of California: Issues and Recommendations
- Information on RMP-8: Legal Requirements on Privacy of and Access to Information
- Log parsing tools
- Windows Log monitoring resources
- Microsoft Event Log Dumper: Retrieves event logs from local or remote systems.
- Understanding Windows Logging
- Unix log monitoring resources
- Macintosh log monitoring resources
- www.loganalysis.org
- An Introduction to syslog
- Swatch: Active log file monitoring tool.
Tripwire...
In addition to audit logs, system administrators may also use Tripwire to independently verify process integrity through detecting, reconciling and reporting desired and undesired system changes. UC Davis maintains a multi-year software license for the use of Tripwire for Servers (Windows, Solaris, FreeBSD, AIX, Linux, HP-UX), Tripwire Manager and Tripwire for Network Devices. There is no charge for campus unit use of licensed Tripwire products. To obtain Tripwire please send an email to software@ucdavis.edu.