{"id":7694,"date":"2021-06-09T09:24:38","date_gmt":"2021-06-09T14:24:38","guid":{"rendered":"https:\/\/www.wisconsin.edu\/uw-policies\/?page_id=7694"},"modified":"2021-06-09T09:24:38","modified_gmt":"2021-06-09T14:24:38","slug":"sys-1041-appendix-a-centralized-logging-events","status":"publish","type":"page","link":"https:\/\/www.wisconsin.edu\/uw-policies\/sys-1041-appendix-a-centralized-logging-events\/","title":{"rendered":"SYS 1041 Appendix A: Centralized Logging Events"},"content":{"rendered":"<p><span data-contrast=\"auto\">Security events that must be logged for high impact systems in a centralized logging infrastructure include but are not limited to\u00a0successful and unsuccessful:\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559685&quot;:360,&quot;335559739&quot;:120,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Authentication events to include but not limited to:\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559685&quot;:547,&quot;335559739&quot;:120,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"3\" data-aria-posinset=\"1\" data-aria-level=\"2\"><span data-contrast=\"auto\">system logon\/logoff;\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559685&quot;:1526,&quot;335559739&quot;:80,&quot;335559740&quot;:240}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"3\" data-aria-posinset=\"2\" data-aria-level=\"2\"><span data-contrast=\"auto\">account or user-ID;\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559685&quot;:1526,&quot;335559739&quot;:80,&quot;335559740&quot;:240}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"3\" data-aria-posinset=\"3\" data-aria-level=\"2\"><span data-contrast=\"auto\">change of\u00a0password;<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559685&quot;:1526,&quot;335559739&quot;:80,&quot;335559740&quot;:240}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"3\" data-aria-posinset=\"4\" data-aria-level=\"2\"><span data-contrast=\"auto\">the type of\u00a0event;\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559685&quot;:1526,&quot;335559739&quot;:80,&quot;335559740&quot;:240}\">\u00a0<\/span><\/li>\n<\/ul>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"3\" data-aria-posinset=\"1\" data-aria-level=\"2\"><span data-contrast=\"auto\">an indication of success or failure of\u00a0event;\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559685&quot;:1526,&quot;335559739&quot;:80,&quot;335559740&quot;:240}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"3\" data-aria-posinset=\"2\" data-aria-level=\"2\"><span data-contrast=\"auto\">the date and time of event; and\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559685&quot;:1526,&quot;335559739&quot;:80,&quot;335559740&quot;:240}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"4\" data-aria-posinset=\"3\" data-aria-level=\"1\"><span data-contrast=\"auto\">Identification of the source of event such as location, IP addresses terminal ID or other means of identification.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559685&quot;:1530,&quot;335559739&quot;:120,&quot;335559740&quot;:240}\">\u00a0<\/span><\/li>\n<\/ul>\n<p><span data-contrast=\"auto\">File\u00a0change\u00a0events\u00a0for system files or files that contain high risk data\u00a0will be logged to include at minimum:<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559685&quot;:547,&quot;335559739&quot;:120,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"3\" data-aria-posinset=\"4\" data-aria-level=\"2\"><span data-contrast=\"auto\">account or user-ID;<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559685&quot;:1526,&quot;335559739&quot;:80,&quot;335559740&quot;:240}\">\u00a0<\/span><\/li>\n<\/ul>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"3\" data-aria-posinset=\"1\" data-aria-level=\"2\"><span data-contrast=\"auto\">the date and time of\u00a0event;<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559685&quot;:1526,&quot;335559739&quot;:80,&quot;335559740&quot;:240}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"3\" data-aria-posinset=\"2\" data-aria-level=\"2\"><span data-contrast=\"auto\">event type (read, write, delete, copy);<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559685&quot;:1526,&quot;335559739&quot;:80,&quot;335559740&quot;:240}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"3\" data-aria-posinset=\"3\" data-aria-level=\"2\"><span data-contrast=\"auto\">the resource\u00a0(file name, file path); and<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559685&quot;:1526,&quot;335559739&quot;:80,&quot;335559740&quot;:240}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"4\" data-aria-posinset=\"4\" data-aria-level=\"1\"><span data-contrast=\"auto\">identification of the source of event such as location, IP addresses terminal ID or other means of identification.\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559685&quot;:1530,&quot;335559739&quot;:120,&quot;335559740&quot;:240}\">\u00a0<\/span><\/li>\n<\/ul>\n<p><span data-contrast=\"auto\">Privileged operations including but not limited to:\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559685&quot;:547,&quot;335559739&quot;:120,&quot;335559740&quot;:240}\">\u00a0<\/span><\/p>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"3\" data-aria-posinset=\"1\" data-aria-level=\"2\"><span data-contrast=\"auto\">use of system privileged\u00a0accounts;\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559685&quot;:1526,&quot;335559739&quot;:80,&quot;335559740&quot;:240}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"3\" data-aria-posinset=\"2\" data-aria-level=\"2\"><span data-contrast=\"auto\">execution of\u00a0scripts;<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559685&quot;:1526,&quot;335559739&quot;:80,&quot;335559740&quot;:240}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"3\" data-aria-posinset=\"3\" data-aria-level=\"2\"><span data-contrast=\"auto\">system starts and\u00a0stops;\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559685&quot;:1526,&quot;335559739&quot;:80,&quot;335559740&quot;:240}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"3\" data-aria-posinset=\"4\" data-aria-level=\"2\"><span data-contrast=\"auto\">hardware attachments and\u00a0detachments;\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559685&quot;:1526,&quot;335559739&quot;:80,&quot;335559740&quot;:240}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"3\" data-aria-posinset=\"5\" data-aria-level=\"2\"><span data-contrast=\"auto\">system and network management alerts and errors messages; and\u00a0<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559685&quot;:1526,&quot;335559739&quot;:80,&quot;335559740&quot;:240}\">\u00a0<\/span><\/li>\n<\/ul>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"4\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">security events &#8211; account\/group management and policy changes.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559685&quot;:1530,&quot;335559739&quot;:120,&quot;335559740&quot;:240}\">\u00a0<\/span><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Security events that must be logged for high impact systems in a centralized logging infrastructure include but are not limited to\u00a0successful and unsuccessful:\u00a0\u00a0 Authentication events to include but not limited to:\u00a0\u00a0 system logon\/logoff;\u00a0\u00a0 account or user-ID;\u00a0\u00a0 change of\u00a0password;\u00a0 the type of\u00a0event;\u00a0\u00a0 an indication of success or failure of\u00a0event;\u00a0\u00a0 the date and time of event; and\u00a0\u00a0 [&#8230;]<\/p>\n","protected":false},"author":3213,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-7694","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/www.wisconsin.edu\/uw-policies\/wp-json\/wp\/v2\/pages\/7694","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.wisconsin.edu\/uw-policies\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.wisconsin.edu\/uw-policies\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.wisconsin.edu\/uw-policies\/wp-json\/wp\/v2\/users\/3213"}],"replies":[{"embeddable":true,"href":"https:\/\/www.wisconsin.edu\/uw-policies\/wp-json\/wp\/v2\/comments?post=7694"}],"version-history":[{"count":1,"href":"https:\/\/www.wisconsin.edu\/uw-policies\/wp-json\/wp\/v2\/pages\/7694\/revisions"}],"predecessor-version":[{"id":7695,"href":"https:\/\/www.wisconsin.edu\/uw-policies\/wp-json\/wp\/v2\/pages\/7694\/revisions\/7695"}],"wp:attachment":[{"href":"https:\/\/www.wisconsin.edu\/uw-policies\/wp-json\/wp\/v2\/media?parent=7694"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}