Security events that must be logged for high impact systems in a centralized logging infrastructure include but are not limited to successful and unsuccessful:
Authentication events to include but not limited to:
- system logon/logoff;
- account or user-ID;
- change of password;
- the type of event;
- an indication of success or failure of event;
- the date and time of event; and
- Identification of the source of event such as location, IP addresses terminal ID or other means of identification.
File change events for system files or files that contain high risk data will be logged to include at minimum:
- account or user-ID;
- the date and time of event;
- event type (read, write, delete, copy);
- the resource (file name, file path); and
- identification of the source of event such as location, IP addresses terminal ID or other means of identification.
Privileged operations including but not limited to:
- use of system privileged accounts;
- execution of scripts;
- system starts and stops;
- hardware attachments and detachments;
- system and network management alerts and errors messages; and
- security events – account/group management and policy changes.