Logging of network traffic at NTNU - Kunnskapsbasen
Logging of network traffic at NTNU
Much of the activity at NTNU will be logged. login, logout, SFTP, traffic to network directories, email, and web.
Norsk versjon Logging av nettverkstrafikk på NTNU
NTNU IT logs all logins with SFTP and SSH on all computers. The log contains time of login and logout, username, and the machine in use. Passwords are never logged. When you're logged in on a Unix based machine, you can use the command "last" to see the last logins on that computer. "last|grep your_username" will give you an overview of your own logins.
Samba is used when you connect up to your home directory. The logs contain time of connect and disconnect, username, and the machine in use. The logs can include more if necessary.
SMTP is a protocol used for sending email. The SMPT servers at NTNU logs the time, which computer is sending the email, where it's going, the email sending, and receiving. Some system information is also logged, like the message number and any error messages.
The content of the email is never logged. NTNU IT can see the content of your email if it's rendering the system useless. In that case, NTNU IT will go as far as possible to solve the problem without looking into the email, but in some cases that proves impossible.
IMAP is a protocol for reading email. The IMAP servers at NTNU will logg login, logout, username, time, which machine you're using IMAP on and which machine the email is coming from.
The student servers at NTNU do not log which websites the user is accessing, but all traffic against folk.ntnu.no is logged; the name of the machine accessing the site, the time, and the file name. You can see the part of the log with information about your own site here: weblog.itea.ntnu.no.
Activate weblogging by selecting subscribe. You can later go onto the same website to see the statistics. You can also choose unsubscribe, if you no longer want to have access to the logs for your website.
Even if there are no saved logs containing the websites you have accessed, remember that this will be stored in the memory of the computer you've been using, and sometimes also on the harddrive. If you have caching enabled in your web browser, the websites and images you have accessed will be stored in your home directory or locally on your computer, to make them load faster if you want to access them again. This can be turned off in your browser.
If you are using the NTNU network there should be no reason to have this feature on, as the network itself should be fast enough.
NTNU IT will not check the cached information, but remember that the next person to use the machine will be able to check if it has been saved to the harddrive, or if they get access to your home directory.
Releasing log files
NTNU IT do not usually release any log files. There is, however one exception to the rule:
System administrators can get parts of a log from a spesific machine if they have a resonable suspicion that something has happened there that is a breach of the IT-regulations. This would typically be logs from sambaad, the server that delivers the student's home directory.
Logs will not be released to external internet providers. If there is suspicion of abuse to an NTNU system, the case will be investigated, which might lead to police involvement. Logs might here be given as attachments.
Why does NTNU log?
The logs are used for system purposes like statistics, investigating security breaches, suspicion of breaking the IT-regulations, and other related issues. NTNU IT will read logs daily to uncover irregularities. NTNU IT can access a user's home directory and look at the content if there is suspicion anything illegal has happened. Suspicion will most often come from reading logs.
A few examples of what might cause suspicion:
- A big increase in disk usage (could be an indication of unauthorized access and misuse of the account to distribute software, music, videos, etc.)
- Login from many different computers outside ntnu.no
- Email loops
The user will normally be warned in advance before any measures are taken. Exceptions are where evidence could be lost, or email to the user can't be delivered because of email loops. In all cases, the user will be warned after the fact.
Orakel Support Services can help if you have any questions.