Skip to content
Documentation
ADRs
PLATFORM
ASR-0004 Logging Management

ASR-0004 Logging Management

Andi Lamprecht Andi Lamprecht ·· 5 min read· Accepted
ADR-0035 · Author: Sybil Melton · Date: 2025-02-07 · Products: platform
Originally ASR-0004-LOGGING-MANAGEMENT (v4) · Source on Confluence ↗

Security Event Logging Management

Summary

This document establishes requirements to support NIST SP 800-53 AU-2 EVENT LOGGING, AU-3 CONTENT OF AUDIT RECORDS, and related controls; as well as follows NIST SP 800-92 Guide to Computer Security Log Management recommendations for consistent, reliable, and efficient security event log management.

Infrastructure, operating systems, and applications need to export security events to provide an audit trail to support after-the-fact investigations. Often times, application logs provide invaluable information not available from other systems about the user (identity, roles, permissions) and context of the event (target, action, outcomes).

The following sections provide security events and the separation of responsibilities to meet NIST Controls AU-3, AC-6(9), CM-3, CM-5(1), SC-7(9), SI-3(8), SI-4(22).

Applications

An application user is unique to its application and may be an actual person that logs in, like an employee or customer; a built-in account to perform an integration and system back-end service; or device (machine, OT, IOT, etc).

When possible, applications and APIs should log the following:

  • Input validation failures; i.e protocol violations, unacceptable encodings, invalid parameter names and values

  • Output validation failures; i.e. database record set mismatch, invalid data encoding

  • Authentication successes and failures

  • Authorization (access control) failures

  • Session management failures; i.e. cookie session identification value modification

  • Application errors and system events; i.e. syntax and runtime errors, connectivity problems, performance issues, third party service error messages, file system errors, configuration changes

  • Application and related systems start-ups and shut-downs, and logging initialization (starting, stopping or pausing)

  • Use of higher-risk functionality, for example:

    • Addition or deletion of users
    • Changes to privileges
    • Assigning users to tokens
    • Adding or deleting tokens
    • Access by application administrators
    • All actions by users with administrative privileges
    • Access to payment data
    • Use of data encrypting keys
    • Key changes, but not the actual key
    • Creation and deletion of system-level objects
    • Data import and export including screen-based reports
    • Submission of user-generated content - especially file uploads

  • Legal and other opt-ins; i.e. permissions for mobile phone capabilities, terms of use, terms & conditions, personal data usage consent, permission to receive marketing communications

Systems

For the purposes of logging, a system log is a record of operating system events. A system user is an individual, or (system) process acting on behalf of an individual, authorized to access an operating system.

For Infrastructure-as-a-Service offerings and on-premise devices, system and network administrators are responsible for:

  1. Configuring logging on their systems and network devices.

  2. Analyzing those logs periodically.

  3. Ensuring the following log event types are forwarded:

    • Authentication successes, failures, abnormal access patterns
    • Authorization failures
    • Attempts to access service accounts
    • Access control successes and failures
    • Session activity, such as files and applications used, particularly system utilities
    • Changes in user privileges
    • Privileged actions, i.e. administrator, sudo, root access, must be correlated to a user session
    • Processes starting or stopping
    • Changes to network and security configuration settings
    • Software installed or deleted
    • Devices attached or detached
    • System or application errors and alerts
    • Alerts from security controls, such as firewalls, IDS, and anti-malware
    • Known indicators of compromise

Security

Security administrators are responsible for:

  1. Managing and monitoring the security log management infrastructure.
  2. Configuring logging on security devices and tools.
  3. Reporting on the results of security log management activities.
  4. Assisting others with log management.

Information Security will review this document annually or whenever there is a change in the threat environment to ensure it meets the mission and business needs.

Requirements

Log Generation

  1. Every occurrence of a security event is logged with the following elements: (AU-3)

    • Event type
    • Event description
    • Identification of resource affected, i.e. filename with full path, service name
    • Username, if applicable
    • Source and destination IP address, if applicable

  2. All DroneUp managed hosts must send security events. (AU-2) Required operational logging will be determined and documented by the system administrators.

  3. Accurate timestamps synchronized to time.google.com and use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or include the local time offset as part of the time stamp. Synchronization of internal system clocks with an authoritative source provides uniformity of time stamps for systems with multiple system clocks and systems connected over a network. (AU-8, SC-45)

Log Transmission

  1. Transfer security events from all hosts in a Cloud environment at a minimum 10 minute interval, unless it causes performance impacts.
  2. Transfer security events from all hosts at a location with cellular connectivity transfer every hour; all other locations transfer every 10 minutes. Required operational logging intervals to be determined and documented by the system administrators.
  3. Security hosts such as firewalls and IDS transfer security alerts in real-time.

Log Retention

  1. The DroneUp Security Information and Event Management (SIEM) solution retains original security events for at least one year. (AU-11)
    NIST does not have a prescribed data retention period, however FISMA and ISO 27001 compliance frameworks require a minimum of three years.

Log Management

  1. The DroneUp Security Information and Event Management (SIEM) solution aggregates and archives security event logs.

    • Infrastructure operational log monitoring and analysis should be integrated with the chosen monitoring/observability suite.
    • System/Development log monitoring and analysis should be integrated with the chosen monitoring/observability suite.

  2. Encrypt log data in transit, at rest, as well as obfuscated before log retrieval.

  3. Preserve original logs for forensics for the maximum retention period in accordance with NIST 800-86. Access to original logs is authorized on a need to access basis and each access logged for auditing purposes.

  4. Remove sensitive data before analysis.

  5. Compress log data before it is archived.

  6. Destroy Log data older than the maximum retention period.

  7. Ensure availability of security log data by storing a copy in a separation location.

References

Cited by queries

Last updated on
Elevation API ATLAS Elevation 3 ReadfromgcsDATA Pipeline ATLAS 9 Endtoendtests