Access Keys:
Skip to content (Access Key - 0)

Centralized Access Logging Landing Page

This page is under construction
The information provided below may not be complete or fully tested. Take care when following draft instructions.
For more information on securing your data, see Information Protection @ MIT.

On this page:

Overview

Logs keep track of what is happening on a computer system or network and help identify who did what, when.  Ensuring authentication and access activity is logged to a central location helps ensure information about user and system interactions in the environment is captured, stored, protected, and available for retrieval during audits and investigations. Deploying log management solutions facilitate the centralization and standardization for auditing. 

How to

Find Logs

Computer systems and software applications produce countless log files (often identifiable by their .log extension) that document the activities which occur on and among networks, endpoint devices, and software programs.    Types of activity or events that are logged include those related to authentication and access, particularly logon/logoff success and failures, account creation, account deletion, and information about these events.  Logs pertaining to these events can provide valuable information for investigating digital activity on the network. 

Windows

On Windows systems, events that track logon/logoff successes are assigned numbers 4624, 4647, with logon/logoff failures (4625), Accounts Disabled (4725) and Created (4720).  These logs can be viewed by going to Windows EventViewer

Mac OS

On Mac, view the logs in the Console

Capture Logs

The logs above represent only a small group of logs that could be viewed.  Everything on a network generates logs, including servers, databases, intrusion detection systems, etc.  Given the number of logs across an environment, it is a best practice to consolidate all of your logs into a central location for optimal investigation and correlation.  This is done by capturing logs on individual devices and then sending them to a central repository which can then be searched, viewed from a single dashboard of some centralized log management solution.

There are several commercial products specifically for Centralized Log management.  While there are differences, each usually provides a method of forwarding logs from computer systems and devices from across your network, standardizes and structure the log data in a common format, and then allows search, reporting, and presentation of logs and summary information with which users can investigate activity.  There is usually a configuration or agent on the device itself to set the logs into the centralized tool.

The security team here at MIT uses Splunk as its centralized log management solution.  With Splunk, forwarders/agents pass traffic into a central console from which user can search and view their logs.  (for instance Windows security log 4625 below)

Consolidate Logs into a single location

Using a commercial tool, such as Splunk to consolidate log traffic allows for a common view and single pane of glass with which disparate data is consolidated for investigative and auditing purposes.  If you have devices whose logs you would like to centrally manage, contact the security team to complete the required configurations and access. 

Link to documentation/training

FAQ's

Windows Security Logs

See Also

Have Questions or Still Need Help?

IS&T Contributions

Documentation and information provided by IS&T staff members


Last Modified:

November 15, 2018

Get Help

Request help
from the Help Desk
Report a security incident
to the Security Team
Labels:
infoprotect infoprotect Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
Feedback
This product/service is:
Easy to use
Average
Difficult to use

This article is:
Helpful
Inaccurate
Obsolete
Adaptavist Theme Builder (4.2.3) Powered by Atlassian Confluence 3.5.13, the Enterprise Wiki