Categories Topics
Description
Logging (system, security, application)

Overview
The recording (or logging) of system, application, user activities and information security events should be produced and kept for agreed period of time. Audit logging should be enabled on systems (and devices) to log user activity at the application or transaction level. Audit logs are critical to assist in incident response, future investigations, audit trail and troubleshooting to name a few. 

Guidelines
Organizations should enable audit logging (to include security events) on systems and devices such as workstations, servers, and network devices. In addition, critical applications and databases should also have logging of access activities. Logs should be protected and reviewed periodically.

Security event logging should include, where applicable: user or system ID, evidence of logon/logoff, event date and time, invalid login attempts, type of access (e.g. create, read, write, update), action success/failure, and privileged activities (e.g. changes to configurations, access rights, accounts/IDs or password resets).


Using a risk-based approach, organizations should focus primarily on logging of critical production systems or devices that have access to, process or store sensitive information (e.g. confidential or secret information). It's important to focus the organization's time and attention to protect the "crown jewels" of the organization, which is usually the data.

Some examples of critical systems that must have logging enabled can include:
  • Customer or internet facing systems and network devices
  • Systems, databases or data files that store or contain employee or customer Personally Identifiable Information (PII)
  • Applications that access, process or store PII
  • Identity and Access Control devices and management systems (e.g. LDAP or Active Directory infrastructure; remote access; wireless infrastructure)
  • Password repositories
Given the shear volume of the logging that is possible, it is also important to have a mechanism to filter, aggregate and archive logs from the various systems and devices and to ensure they are protected (also see "Logging Protection"). A Security Information Event Management (SIEM) can be a valuable tool to help accomplish this end. A SIEM can also provide a centralized console to better enable your security staff to review and manage security events that may pose threats to the organization.
 
News Articles
Millions of Verizon customer records exposed in security lapsewww.zdnet.com7/12/2017
Splunk Patches Information Theft and XSS Flawswww.securityweek.com4/3/2017
Whistle-blower update: Snowden lands in Moscow; WikiLeaker's Gmail searchednews.cnet.com6/22/2013
McAfee ESM named Leader in 2013 Gartner Magic Quadrant for SIEMblogs.mcafee.com6/12/2013
Big data can be a big headache for data defenderswww.computerworld.com4/25/2013
RSA 2013: Hackers will get in, so spend the money on pushing them outwww.scmagazine.com2/27/2013
Big data brings intelligence-based security, RSA chief sayswww.zdnet.com2/26/2013
HP joins Hadoop party with security plug-in for ArcSightwww.zdnet.com2/25/2013
Hackers Stole Emails From Employees in Chamber of Commerce Breachwww.eweek.com12/21/2011
Policies
Security and System Logging Policy
Standards
NIST Guide to Computer Security Log ManagementNIST9/1/2006