Child pages
  • Centralized Security Audit Logging Request and Planning Form for Splunk
Skip to end of metadata
Go to start of metadata

If you are interested in including your system logs in the OIT Security centralized audit logging service, completing this request and planning form is the first step. The OIT Security team will then vet for approval, evaluate, scope, plan, and prioritize incoming new requests. Please fill out the online form below.  See below for an example.

Submit Online Form via ServiceNow Here


Example:

General Information:

Requested By (Name & E-Mail):  John Smith / jsmith@uci.edu

Department / Group: OIT / Student Services

Date: 02/30/2012

Priority: High

 

System Log Information:

 

System Name/IP

foobar-db.oit.uci.edu, 128.200.300.90

Description/Purpose

Student Registration Database Server

Risk Classification

 High

OS/Version

Windows 2008 R2

Log File

Log Format

Filtered Events To Include

Average Daily Size

Users/Groups Who Need Access

Campus Security Relevance

WinEventLog:Security

Windows Event Log

 

Authentication related event codes

 

10MB

 

John, Jill, Jack and Judy

 

This server runs a database that contains high risk restricted data, we need to know who accesses it and alert on possible breaches of that data.

 

 WinEventLog:System

 Windows Event Log

 All

 5MB

 same as above

same as above

 WinEventLog:Application

Windows Event Log

 MSSQL related event codes

 5MB

 same as above

same as above

 

System Name/IP

foobar-web.oit.uci.edu, 128.200.300.91

Description/Purpose

Student Registration Web Server

Risk Classification

 High

OS/Version

Redhat Linux 5

Log File

Log Format

Filtered Events To Include

Average Daily Size

Users/Groups Who Need Access

Campus Security Relevance

/var/log/secure

Syslog

 

Authentication and privilege escalation events (sudo/sshd/etc)

 

10MB

 

John, Jill, Jack and Judy

 

This server runs a web and application server that allows access to restricted data and is a critical campus service that we should be alerted of inappropriate activity.

 

/var/log/tomcat7/application-registration-audit.log

Custom application log

 All

 5MB

 same as above

same as above

/var/log/httpd/access.log

Apache Access Log

All

 5MB

 same as above

same as above

 

 

 

  • No labels