Security Log Management

The ultimate objective of security logging is to provide an institution-wide view of system events to more effectively detect threats, anomalies, and other compromises to campus systems and data and to provide for earlier alerts of such threats. Information captured by logs can be critical in supporting incident response or a forensic analysis in the event of a suspected data breach, IT security incident, or legally mandated investigations.

The University of Michigan (including UM-Ann Arbor, UM-Dearborn, UM-Flint, and Michigan Medicine) is required to maintain security logs as part of its compliance with certain federal and state laws and regulations. This effort also helps your unit support and meet the U-M Security Log Collection, Analysis, and Retention (DS-19) standard.

Information Assurance (IA) uses Splunk—the Information and Technology Services (ITS) log collection and aggregation engine—to identify and monitor potential IT security threats. Splunk meets the requirement for using a security information and event management system (SIEM) for logging. IA has begun working with UM-Ann Arbor units to help them set up appropriate security logging that is sent to its secure and centralized Splunk security log repository for IA analysis and retention. There is no charge to units for participation in the Splunk security logging service.

Support for Your Unit

Every unit is different, so IA will meet with you to work through the process of identifying any needed security logs that are not already in the IA security log repository and help you get them added as needed.


  • First, check with your SUL. For questions about security logging in your unit, start with your SUL. SULs coordinate the process in their units and designate someone to work with IA.
  • Need to configure logging on your systems without Splunk? Check out Logging Configuration for U-M Systems. It provides guidance for configuring logs on university IT systems that do not forward to Splunk, and reminders of which systems must forward logs based on the data they store or handle.