Best Practices for Managing Logs
Most computer technology has the ability to generate logs of activity, sometimes referred to as ‘system logs’ or ‘logfiles.’ These logs may be used for a variety of purposes, including troubleshooting technology problems, detecting unauthorized access or usage, fulfilling audit or other compliance requirements, etc. The logs may be created by an operating system, an application, a service, a networking device, or other technology.
The Iowa Board of Regents has created general guidelines for Log Retention, available at https://itsecurity.uiowa.edu/borlogguide. These are general guidelines to be followed in the absence of specific legal, regulatory or policy requirements. For example, PCI-DSS 10.7 requires a minimum retention time of 1 year, and HIPAA requires a minimum of 6 years; these specific requirements override the Regents’ general recommendations. Individuals who manage logs should be aware of any specific requirements that pertain to their logs and configure the logs according to those requirements.
By default, some technology may generate logs that contain sensitive or confidential data. Whenever possible, logs should be configured to not store data that is confidential in and of itself (e.g., SSN, PHI, etc.) If this is not possible, then the logs themselves must be protected by appropriate security controls.
Logs may also contain data that is not sensitive in and of itself, but which may be sensitive in a specific context. For example, wireless access logs may reveal sensitive information about the location of an individual at a point in time. These logs must also be protected by appropriate security controls.
Understand the purpose of the logs that you manage. Logs that are intended for system or application troubleshooting should not be used surveillance purposes, except when specifically authorized for this by the Office of the General Counsel.
Document the purpose and retention schedule for the logs that you manage. Contact the Information Security and Policy Office if you have questions.
Operating systems, applications and other technology may generate many types of logs. The following are some common types of operating system logs.
Authentication logs contain a record of attempts to login to a system. Log entries typically contain the username of the account and whether the login was successful or failed.
Access logs contain information about when some collection of data (file, database record, etc.) was read, modified, or created.
System logs contain information related to events that occur while an operating system is running. Log entries may contain information about system startup and shutdown, changes to system hardware, updates to system software, process startup and termination, etc.
Service logs contain information related to systems that provide a basic service to other technology, or that monitor a specific type of information collected from other systems. Examples of service logs include arp cache, dhcp lease, dns, etc.
Security Event and Incident Management (SEIM)
The Information Security and Policy Office (ISPO) maintains a campus tool (Splunk) to analyze and respond to security events and incidents. Authentication logs should be configured to forward to the SEIM for analysis. Technology which processes or stores critical or restricted data should also forward access and system logs to the SEIM. Please contact ISPO at firstname.lastname@example.org for more information.
Best Practices Summary
|Log Type||Minimum Retention||Maximum Retention||Forward to SEIM?|
|Authentication||90 days||1 year||Yes|
|Access||90 days||none||If restricted or critical data|
|System||30 days||none||If restricted or critical data|
Remember that specific legal, regulatory or policy requirements may override these suggestions.
Institutional Data Policy https://itsecurity.uiowa.edu/institutional-data
Iowa Board of Regents IT Security and Network Log Retention Guidelines https://itsecurity.uiowa.edu/borlogguide