Our log policy follows the SANS Information Logging Standard. It helps us collecting information capable of answering the following questions:
- What activity was performed?
- Who or what performed the activity?
- What the activity was performed?
- When was the activity performed?
- What tool(s) was the activity was performed with?
At least the following activities are logged from our customer systems:
- Create, read, update, or delete information.
- Initiate a network connection
- Accept a network connection
- User authentication and authorization for activities such as user login and logout
- Grant, modify, or revoke access rights, including adding a new user or group, changing user privilege levels, changing file permissions, changing database object permissions, changing firewall rules, and user password changes.
- System, network, or services configuration changes, including installation of software patches and updates, or other installed software changes.
- Application process startup, shutdown, or restart.
- Application process abort, failure, or abnormal end, especially due to resource exhaustion or reaching a resource limit or threshold (such as for CPU, memory, network connections, network bandwidth, disk space, or other resources), the failure of network services such as DHCP or DNS, or hardware fault.
- Detection of suspicious/malicious activity such as from an Intrusion Detection or Prevention System (IDS/IPS), anti-virus system, or anti-spyware system