Central Security Logging

In order to comply with the Grid Security Traceability and Logging Policy, CERN is required to store all system logs from Grid nodes in a central facility. The Security Team in collaboration with the CERN/IT groups managing the CERN Computer Centre has extended this facility to also store logs from a wide variety of other Computer Centre servers and services. These logs are stored for one year and purged afterwards. Access is restricted to the CERN Computer Security Team only.

With these logs at hand, the Security Team performs automatic analyses looking for different threats and unusual behaviors such as:

  • Bruteforce log-in attempts and log-in successess;
  • Log-in patterns, i.e. the so-called "SSH Receipts" notification;
  • Unusual or dangerous system calls and commands;
  • Priviledge escalation attempts;
  • Connections from IP addresses involved in past incidents.

Furthermore, these logs provide an essential basis for conducting forensics in order to understand security events. Depending on the nature of the alert and its severity, the user and the responsible of the affected server will be notified about security events discovered by our automatic log analyses.

All software developers are strongly encouraged to use syslog (or state-of-the-art libraries capable of communicating with it) for handling logs in their applications.

Want to join?

CERN service providers interested in having their logs integrated with this service are encouraged to contact the Security Team. Below we describe several ways of configuring your server to send system logs to the CSL. Note that, due to confidentiality reasons, direct access to CSL is restricted to the Computer Security Team. However, you may collect your logs on your own, and relay a copy of them to us.