The ultimate objective of security logging is to provide an institution-wide view of system events to more effectively detect threats, anomalies, and other compromises to campus systems and data and to provide for earlier alerts of such threats. Information captured by logs can be critical in supporting incident response or a forensic analysis in the event of a suspected data breach, IT security incident, or legally mandated investigations.
The University of Michigan (including UM-Ann Arbor, UM-Dearborn, UM-Flint, and Michigan Medicine) is required to maintain security logs as part of its compliance with certain federal and state laws and regulations. This effort also helps your unit support and meet the U-M Security Log Collection, Analysis, and Retention (DS-19) standard.
Information Assurance (IA) uses Splunk—the Information and Technology Services (ITS) log collection and aggregation engine—to identify and monitor potential IT security threats. Splunk meets the requirement for using a security information and event management system (SIEM) for logging. IA has begun working with UM-Ann Arbor units to help them set up appropriate security logging that is sent to its secure and centralized Splunk security log repository for IA analysis and retention. There is no charge to units for participation in the Splunk security logging service.
Support for Your Unit
Every unit is different, so IA will will hold individualized discovery meetings with each unit to work through the process of identifying needed security logs and getting them into the IA security log repository. IA will provide documentation and support to help bring all units into compliance with the standard by the end of 2020.
Setting Up Your Unit Security Logs
- Each unit's Security Unit Liaison (SUL) is asked to provide contact information for a person(s) who is familiar with unit systems and will work with IA to coordinate the unit's security logging. Please send this information to ITSSplunk@umich.edu .
- IA will hold discovery meetings (usually one–two hours long) with each unit during 2019. Participants in these meetings will review the security log standard, begin to work through a spreadsheet for identifying relevant logs, and plan next steps.
- First, check with your SUL. For questions about security logging in your unit, start with your SUL. SULs are being asked to coordinate the process in their units and designate someone to work with IA.
- Contact the IA security logging project team. To provide your unit's contact person or ask questions, send email to the team at ITSSplunk@umich.edu.
- Need to configure logging on your systems without Splunk? Check out Logging Configuration for U-M Systems. It provides guidance for configuring logs on university IT systems that do not forward to Splunk, and reminders of which systems must forward logs based on the data they store or handle.