YALE-MSS-13.4: Collect and review all system activity logs

The ongoing capture and review of system events is critical for monitoring system health and detecting/responding to security issues. In some cases, external obligations such as HIPAA and PCI may also require this.

In all cases, regularly inspecting event logs is an effective means of checking the status of a system and its resources.

For more information about HIPAA and PCI, please see:

• HIPAA (https://hipaa.yale.edu/policies-procedures-forms#policies_procedures_forms-page_1-23)
• PCI (https://your.yale.edu/policies-procedures/procedures/2820-pr01-payment-credit-debit-card#9)

One approach for collecting and reviewing logs is a mix of automated and manual activities:

• Once a day, event logs are filtered by an automated tool; important events are flagged and sent to system administrators for review
• Once a week, system administrators manually review a summary/dashboard of recent events, further exploring those events that warrant a closer look

Adjust the process and timeline as needed based on risk, resources, and feasibility.

Tools to facilitate gathering and monitoring event logs are often built into a given OS, but also exist as open source and commercial software.