Centralized Security Audit Logging Request and Planning Form for Splunk
If you are interested in including your system logs in the OIT Security centralized audit logging service, completing this request and planning form is the first step. The OIT Security team will then vet for approval, evaluate, scope, plan, and prioritize incoming new requests. Please fill out the online form below. See below for an example.
Submit Online Form via ServiceNow Here
Example:
General Information:
Requested By (Name & E-Mail): John Smith / jsmith@uci.edu
Department / Group: OIT / Student Services
Date: 02/30/2012
Priority: High
System Log Information:
System Name/IP | foobar-db.oit.uci.edu, 128.200.300.90 | ||||
Description/Purpose | Student Registration Database Server | ||||
Risk Classification | High | ||||
OS/Version | Windows 2008 R2 | ||||
Log File | Log Format | Filtered Events To Include | Average Daily Size | Users/Groups Who Need Access | Campus Security Relevance |
WinEventLog:Security | Windows Event Log
| Authentication related event codes
| 10MB
| John, Jill, Jack and Judy
| This server runs a database that contains high risk restricted data, we need to know who accesses it and alert on possible breaches of that data.
|
WinEventLog:System | Windows Event Log | All | 5MB | same as above | same as above |
WinEventLog:Application | Windows Event Log | MSSQL related event codes | 5MB | same as above | same as above
|
System Name/IP | foobar-web.oit.uci.edu, 128.200.300.91 | ||||
Description/Purpose | Student Registration Web Server | ||||
Risk Classification | High | ||||
OS/Version | Redhat Linux 5 | ||||
Log File | Log Format | Filtered Events To Include | Average Daily Size | Users/Groups Who Need Access | Campus Security Relevance |
/var/log/secure | Syslog
| Authentication and privilege escalation events (sudo/sshd/etc)
| 10MB
| John, Jill, Jack and Judy
| This server runs a web and application server that allows access to restricted data and is a critical campus service that we should be alerted of inappropriate activity.
|
/var/log/tomcat7/application-registration-audit.log | Custom application log | All | 5MB | same as above | same as above |
/var/log/httpd/access.log | Apache Access Log | All | 5MB | same as above | same as above
|