ResearchDrive - Audit log data request process information
Limited log data is collected for ResearchDrive and Restricted ResearchDrive and may be requested by IT departmental support staff and cybersecurity staff as needed.
What log data is collected?
- Audit Failure: close_file_modified, close_file_unmodified, create_directory, create_file, delete_directory, delete_file, open_file_noaccess, open_file_read, open_file_write, rename_directory, rename_file, set_security_directory, set_security_file
- Audit Success: close_file_modified, close_file_unmodified, create_directory, create_file, delete_directory, delete_file, open_file_noaccess, open_file_read, open_file_write, rename_directory, rename_file, set_security_directory, set_security_file
- Syslog Audit Events: create_directory, create_file, delete_directory, delete_file, open_file_noaccess, open_file_write, rename_directory, rename_file, set_security_directory, set_security_file
- Table 6 in this document goes over what is collected (note: we do not collect “open directory” data): https://www.delltechnologies.com/asset/en-us/products/storage/industry-market/h12428-wp-best-practice-guide-isilon-file-system-auditing.pdf
Process for requesting access to log data:
For all urgent matters:
- Please contact Cybersecurity Operations Center (CSOC) incident response via help desk (24/7 availability)
- Contact information (please contact via phone for fastest response): https://it.wisc.edu/about/division-of-information-technology/enterprise-information-security-services/office-of-cybersecurity/reporting-an-incident-to-it-security/
Note: Regardless of urgency, CSOC should be involved anytime malicious activity is suspected, if there is an investigation of someone’s activities, or anytime there is “HR” involvement.
For non-urgent needs that do involve CSOC:
- Email cybersecurity@cio.wisc.edu (reply within 2 business days)
For non-urgent needs that do not involve CSOC:
- Email researchdrive@wisc.edu (reply within 2 business days)
Scheduled access to logs:
Unfortunately, we are unable to provide instant or scheduled access to logs.