Skip to Main Content

System Logging Security Standard for Restricted Data Devices

1.0 Overview

The UGA Policies on Use of Computers outline acceptable use of computing and network resources at UGA. The policy states that no one shall store confidential information on computers or transmit confidential information over University networks without protecting the information appropriately.

2.0 Objective / Purpose

This document outlines the logging standards that are required for devices that store or process restricted University data. We also highly advise the logging of devices that store or process sensitive University data. The purpose of these requirements is to store logs from these systems in the Office of Information Security’s Security Incident Event Manager (SIEM). This will enable security staff to monitor the security of all systems which store or process restricted or sensitive data.

3.0 Scope

This standard applies to all University servers that store or process restricted data. Requirements established within this document do not supersede any specific requirements imposed on UGA by Board of Regents policies, State and Federal laws, or contractual agreements.

4.0 Standard

4.1 Log Forwarding

All servers that store or process restricted data must forward security logs (requirements in Section 4.2) to the SIEM.

4.1.1 Contact for details on how and where to forward Syslogs from Unix and Windows systems or Windows Event Logs from Windows systems. Syslog is the preferred transaction method for all logs.

4.1.2 Each log line must include the IP address of the server which the lines originated.

4.2 Required Logs

4.2.1 Server Authentication Logs

Must include the following:

  • time
  • username
  • IP address from which the login originated
  • whether or not the login was successful

4.2.2 Logs of any log-based intrusion prevention security application, such as fail2ban or DenyHosts

These logs must include the following:

  • time
  • username(s) attempted
  • IP address

4.2.3 Web server access logs (if the server is offering web pages)

These logs must include the following:

  • time
  • IP address
  • The complete url of the page that was accessed

4.2.4 Any logs for applications that handle restricted information or authentication/access

These logs must include the following:

  • time
  • IP address of server on which the application is running
  • any critical information on actions performed within the application

Critical information includes any security related actions:

  • failed login attempts
  • successful logins
  • user creation
  • user deletion
  • credential and permission changes
  • file accesses
  • file downloads and uploads
  • any other critical actions unique to the application

5.0 Enforcement and Implementation

5.1 Roles and Responsibilities

Each University department/unit is responsible for implementing, reviewing and monitoring internal policies, practices, etc. to assure compliance with this standard.

The Office of the Chief Information Officer is responsible for enforcing this standard.

5.2 Consequences and Sanctions

Non-compliance with these standards may incur the same types of disciplinary measures and consequences as violations of other University policies, including progressive discipline up to and including termination of employment, or, in the cases where students are involved, reporting of a Student Code of Conduct violation.

Any device that does not meet the minimum security requirements outlined in this standard may be removed from the UGA network, disabled, etc. as appropriate until the device can comply with this standard.

6.0 Exceptions

Exceptions may be granted in cases where security risks are mitigated by alternative methods, or in cases where security risks are at a low, acceptable level and compliance with minimum security requirements would interfere with legitimate academic or business needs. To request a security exception, contact the Office of Information Security at

7.0 References