Logging Best Practices

Logging Systems at ASU

ASU leverages the Splunk enterprise logging management tool for collecting system logs across the organization. System logging is ingested into Splunk from each endpoint that is running the Splunk Universal Forwarder. The sourced data is ingested by the indexer cluster and cannot be modified or deleted from Splunk until it is purged upon expiration of the assigned retention period. Logs should be forwarded to a centralized system such as ASU’s Splunk instance, to ensure immutability, correlation, incident review, and compliance. Access to the logs is restricted on various levels to authorized users, depending on their role in the organization.

As a member of ASU with a Server established on the ASU network, you must implement the ASU System Auditing Standards for logging.

Adding a New Endpoint for Logging

You can submit a request for data to be added to Splunk here

Requesting Log Access

Submit an access request for Splunk here

 

Best Practices

The following practices will help your IT teams determine the items that should be incorporated into log collection and forwarding.  Many of these logs may already be collected if the system contains ASU Next-Generation Anti-Virus(NGAV) aka Endpoint Detection and Response(EDR) solution.  Consult with the SOC if you have any questions about your coverage.

Log Forwarder Installation

A default installation of the Splunk forwarder is included on instances of RedHat Enterprise Linux (RHEL), or Windows Server provided through ASU. 

Application logs, such as websites, shell scripts, or other custom or purchased software, may incorporate mechanisms to authenticate, authorize, or monitor user activity while using the platform.  If the application contains such capabilities, these items should be logged and forwarded. For additional assistance installing or setting up the Splunk forwarder, you can reach out to the community slack channel #splunk for guidance. 

 

Types of Data

You can reference the types of data that can be ingested and indexed using the Splunk logging service on the Splunk website.