Frequently asked questions
Q: What is Log-Alert?
A: Log-Alert is a UITS-funded service to ensure that your IT department can align itself with the IT-12 policy of server log monitoring and review.
Q: What is the cost for the Log-Alert service?
A: The Log-Alert service is a no fee, centrally funded service for IT-12 alignment to all IU units.
Q: How do my logs get into Log-Alert with Splunk?
A: Splunk uses an agent called the Universal Forwarder to securely transmit your logs. Read more here: https://kb.iu.edu/d/bfln
Q: Why do I have to use the agent? Can't I send my logs to you via syslog/wmi/etc.
A: We have tested other input methods into Splunk and many issues were discovered throughout that process. The main benefit to using the Splunk universal forwarder is scalability as well as its built-in load-balancing features. The agent will alternate logs between our indexers in order to be as efficient as possible. The use of the agent also allows much easier hands-off configuration changes in the event a system-wide change needs to occur.
Q: Is there a server resource performance reduction associated with the Universal Forwarder?
A: The performance needs associated with installation of the Universal Forwarder are very small. A CPU performance increase of 1-3% is fairly common.
Q: Who has access to see my logs?
A: Outside of the TechSelect Log-Alert team, only the people in your department who are defined during onboarding will have access to your logs. TechSelect has implemented two simultaneous security methods within Splunk to give everyone the highest level of security Splunk has to offer. First, we silo all data into indexes; this allows us to set role-based access to a specific index so no one else can search the data. It also keeps the data segmented from the command line and directory structure. Second, we have created restricted user options, to allow users to see only their particular application. This adds an additional layer of security that we control.
Q: Where are the Log-Alert servers located
A: All servers that provide the Log-Alert service are in the Intelligent Infrastructure and are in both the IUPUI and IU Bloomington Data Centers.
Q: Are my logs encrypted?
A: All log transmitted into Log-Alert are encrypted using 256-bit encryption. All log data is stored in a proprietary Splunk data format and are stored encrypted at rest on the SAN infrastructure in the Intelligent Infrastructure.
Q: Am I handing you the keys to the kingdom by sending my logs to you?
A: The Log-Alert system is only sending system events that are relevant to the IT-12 logging requirement. We do not collect all system logs. Also, system logs do not generally record passwords/passphrases/PIN numbers/security codes/access codes, nor do they frequently record data classified as critical under the IU data classifications.
Q: Can I send you all of my logs so that I can create a custom dashboard?
A: Currently our main focus is to provide a log-reporting service that lowers the number of departments that are not aligned with IT-12. We are definitely looking to expand the service into many different areas around the university, but we are currently focused on IT-12 alignment.