2.5.9 Auditing and Logging Compliance

Recording and monitoring the activities of users is an important part of overall system security. Most organizations have rules governing who is allowed to access and make changes to software and related hardware resources. Maintaining an audit log of significant activities enables the organization to verify compliance with rules, detect any violations, and initiate remediation activities. Some businesses are under external laws and regulations that require ongoing monitoring and verification of access and authorization rules.

An audit log can also be helpful in detecting attempts, whether successful or not, to gain illegitimate access to the system, probe its information, or disrupt its operation. Knowing an attack is attempted and the details of the attempt can help in mitigating the damage and preventing future attacks.

Whether or not it is required, it is part of good security practice to regularly examine logs for suspicious, unusual, or unauthorized activity. Routine log analysis also helps identify system misconfigurations and failures and help to verify adherence to SLAs.

The system audit log is maintained in the database and can be monitored through the vCloud Director for Service Providers web UI. Each organization administrator and the system administrator have a view into the log scoped to their specific area of control. A more comprehensive view of the audit log (and long-term persistence) is achieved through the use of remote syslog, described in following section. A variety of log management and Security Information and Event Management (SIEM) systems are available from a variety of vendors and open-source projects.

Diagnostic logs, described in the following section, contain information about system operation not defined as “audit events” and are stored as files in the local filesystem of each cell’s operating system.