Log Aggregation and Monitoring

Information Security provides Log Aggregation and Monitoring services using ArcSight. This is not a production service or system of record. There is the potential for data to be lost in transfer to ArcSight. If you contribute logs, you will be given an account so that you can always see your information. if you are using Splunk for Linux or Unix machines, your logs are already automatically sent to Information Security. Email Captain ArcSight (Benjamin.Walther@tufts.edu) for more information about log aggregation and monitoring or if you would like to contribute logs.

What logs will Information Security take?

We will take any logs. Information Security is willing to work with any department to monitor and service any logs.

Why would I send my logs to Information Security?

If you don't have space for your records
If you want to keep records for longer than the system default
If you want a better search interface for your logs
If you want to aggregate or compare between logs
If you want to monitor your logs and create alerts for certain events
If you want log servicing. Information Security will check for log in fraud and brute force attacks.

How long will Information Security keep these logs?

Information Security will keep different information for different lengths of time. Below is a table of standard lengths for different information types. Information Security can also keep logs for more or less time with coordination from the department.

Data Element	Brief Description	Business Value	Retention Period
DHCP Lease Information	A record of IP addresses, the computers (MAC addr.), and individuals they were assigned to.	IP Address Ownership. Allows determination of the individual using a particular IP address at a given point in time.	1 Year (May need to be recalled from tapes.)
DNS Requests	A record of DNS name lookups that were requested by a given IP address.	Internet Sites (potentially) visited. Allows determination of which internet sites have been looked up.	30 Days (There may be small variance to this retention period based on operational need.)
DNS Responses	A record of the IP address associated with a DNS name at a point in time.	Associate Links to IP addresses. Allows investigations to determine which URLs and links were associated with which IP flows. Does not allow us to identify individual user behavior.	1 Year (May need to be recalled from tapes.)
Net flow Records	A record of network traffic connections in and out.	Internet connections by IP. Allows partial reconstruction of traffic across our borders.	1 Year (May need to be recalled from tapes.)
Server Log Messages	A record of logins, logouts, and other key messages from participating operating systems.	Allows determination of the UTLN that logged into a specific server at a given time, such as Web or FTP servers.	60 Days (There may be small variance to this retention period based on operational needs.)
Application Log Messages	A record of software use, updates and error messages from participating applications.	Allows determination of application access and use, such as Mail, Web servers and databases, by UTLN.	60 Days (There may be small variance to this retention period based on operational need.)
Firewall Log Messages	A record of inbound and outbound connections and error messages by participating firewalls.	Allows determination of failed attempts to connect on computers protected by a participating firewall.	60 Days (There may be small variance to this retention period based on operational need.)
VPN Authentication Messages	A record of logins made to the Tufts VPN.	Allows determination of access to (and perhaps through) the VPN.	1 Year (May need to be recalled from tapes.)
VPN Log Messages	A record of user activity on the VPN.	Allows determination of which systems were accessed and when by already-logged in users.	60 Days (There may be small variance to this retention period based on operational need.)
Anti-virus Log Messages	A record of virus activity for participating AV systems.	Allows reconstruction of viruses detected on computers and web sites blocked for individuals.	60 Days (There may be small variance to this retention period based on operational need.)
Intrusion Detection Log Messages	A record of suspicious traffic matching a given pattern.	Allows us to detect certain types of network based attacks from outside the University, and soon, from within Tufts as well.	60 Days (There may be small variance to this retention period based on operational need.)
Other Log Messages	PVS, Active Scanning, Correlation, DMCA, REN-ISAC, Shadow server, Spam Cop, etc.	Additional detective controls to be rolled into our ticketing system.	60 Days (There may be small variance to this retention period based on operational need.)
Forensic Disk Images	Duplicate copies of computer files for deep inspection, including deleted files if available.	Supports the investigation of misconduct involving a Tufts-owned device.	As directed by University Counsel.