Log Aggregation and Monitoring
Information Security provides Log Aggregation and Monitoring services using ArcSight.
Why would I send my logs to Information Security?
- If you don't have space for your records
- If you want to keep records for longer than the system default
- If you want a better search interface for your logs
- If you want to aggregate or compare between logs
- If you want to monitor your logs and create alerts for certain events
How long will Information Security keep these logs?
Information Security will keep different information for different lengths of time.
Data Element |
Brief Description |
Business Value |
Retention Period |
DHCP Lease Information |
A record of IP addresses, the computers (MAC addr.), and individuals they were assigned to. |
IP Address Ownership. Allows determination of the individual using a particular IP address at a given point in time. |
1 Year |
DNS Requests |
A record of DNS name lookups that were requested by a given IP address. |
Internet Sites (potentially) visited. Allows determination of which internet sites have been looked up. |
30 Days |
DNS Responses |
A record of the IP address associated with a DNS name at a point in time. |
Associate Links to IP addresses. Allows investigations to determine which URLs and links were associated with which IP flows. Does not allow us to identify individual user behavior. |
1 Year |
Net flow Records |
A record of network traffic connections in and out. |
Internet connections by IP. Allows partial reconstruction of traffic across our borders. |
1 Year |
Server Log Messages |
A record of logins, logouts, and other key messages from participating operating systems. |
Allows determination of the UTLN that logged into a specific server at a given time, such as Web or FTP servers. |
60 Days |
Application Log Messages |
A record of software use, updates and error messages from participating applications. |
Allows determination of application access and use, such as Mail, Web servers and databases, by UTLN. |
60 Days |
Firewall Log Messages |
A record of inbound and outbound connections and error messages by participating firewalls. |
Allows determination of failed attempts to connect on computers protected by a participating firewall. |
60 Days |
VPN Authentication Messages |
A record of logins made to the Tufts VPN. |
Allows determination of access to (and perhaps through) the VPN. |
1 Year |
VPN Log Messages |
A record of user activity on the VPN. |
Allows determination of which systems were accessed and when by already-logged in users. |
60 Days |
Anti-virus Log Messages |
A record of virus activity for participating AV systems. |
Allows reconstruction of viruses detected on computers and web sites blocked for individuals. |
60 Days |
Intrusion Detection Log Messages |
A record of suspicious traffic matching a given pattern. |
Allows us to detect certain types of network based attacks from outside the University, and soon, from within Tufts as well. |
60 Days |
Other Log Messages |
PVS, Active Scanning, Correlation, DMCA, REN-ISAC, Shadow server, Spam Cop, etc. |
Additional detective controls to be rolled into our ticketing system. |
60 Days |
Forensic Disk Images |
Duplicate copies of computer files for deep inspection, including deleted files if available. |
Supports the investigation of misconduct involving a Tufts-owned device. |
As directed by University Counsel. |