Standards Group:
YALE-MSS-13: Logging
YALE-MSS-13.1: Ensure logging contains information required for incident response
Low Risk Endpoint
Not Required
Moderate Risk Endpoint
Not Required
High Risk Endpoint
Not Required
Low Risk Server
Required
Moderate Risk Server
Required
High Risk Server
Required
Low Risk Mobile Device
Not Required
Moderate Risk Mobile Device
Not Required
High Risk Mobile Device
Not Required
Low Risk Network Printer
Not Required
Moderate Risk Network Printer
Not Required
High Risk Network Printer
Not Required
Details
Data generated by a system or application contains information that is used to respond to incidents.
Recommendations for effective logging include:
- Use multiple time servers to ensure accuracy of log timestamps
- Verify that your application logs show client IP addresses and not just reverse proxy IPs (a standard solution is to configure and log X-Forwarded-For headers)
- Measure your log volume and be able to accommodate enough storage for a minimum of 90 days
Logged data for incident response must include at a minimum:
- The time and date an event happens
- Source and destination IPs, if network communications are involved
- User IDs, if feasible
- The name and ID of the affected process
- Any basic messages generated by the process (e.g., error, debug, informational messages)
Incident response logging should include events from activities such as authentication, privilege escalation, network communications, file/object access changes, error debug messages and application level logs.