Security Audit Log Analysis Guideline

UC Berkeley security policy mandates compliance with Minimum Security Standard for Electronic Information for devices handling covered data.  The recommendations below are provided as optional guidance for audit logging requirements.


Resource Custodians must maintain, monitor, and analyze security audit logs for covered devices.

Description of Risk

Without appropriate audit logging and analysis, an attacker's activities can go unnoticed, and evidence of whether or not the attack led to a breach can be inconclusive.


Once audit logs are set up to be collected, regular log reviews and analysis are critical to timely detection of security incidents, policy violations, fraudulent activities and any follow-up response actions that are required.  Proper audit log analysis will require resource proprietor to dedicate the time of a log analyst on a daily basis to review logs for urgent errors and warnings.  Log analyst should also develop periodic reports to demonstrate trending and time-dependent data to aid the discovery of anomalous events and activities otherwise hidden from daily reviews.  

To help prioritize review and response time, the log analyst should develop a criticality rating for audit events based on potential negative to covered data.  Using the criticality rating, log analyst should develop the capability to send an alert on high criticality rating (anomalous) events in real time for timely response to probably security incidents.

Due to the complexity of an audit logging program implementation, it is strongly recommended that resource proprietors and resource custodians enroll in the campus-provided audit logging service described below.

Campus Service

The Information Security Office (ISO) has implemented Campus Log Correlation Program, an enterprise-grade audit logging software solution (based on HP ArcSight), to aid in managing, correlating, and detecting suspicious activities related to the campus' most critical data assets.  This service's advanced detection capabilities enable ISO to correlate events in multiple dimensions - by identity, vulnerability, asset, time, patterns and other events -  across firewalls, web servers, system access logs, and other core central Security Services such as Vulnerability and Intrusion Detection to determine if a system has been successfully attacked, is currently being probed for attack, or detect advanced threats before they cause damage.  

To enroll in ISO Campus Log Correlation Program, please email your request to

On This Page