We do keep logs for a period of time, but the library administration's policy is to only investigate them when a publisher contacts us with a claim of abuse (we do not proactively monitor for unusual activity, although we do take steps like limiting the number of concurrent sessions per user and blacklisting IP addresses/ranges with a history of suspicious activity).
The publisher generally supplies examples of timestamps and URLs that were part of the alleged abuse. We use that information to identify the "abusing" user in the log.
Usually there is pretty clear evidence that the user is not conducting legitimate personal research (e.g. the user is a freshman early childhood education major at the local rural branch campus, but they're downloading thousands of chemistry papers from an IP address in China or Russia). Typically the user does not seem like an information freedom warrior, or even to have a clue what is going on, so it seems most likely the credentials were phished.
We do keep logs for a period of time, but the library administration's policy is to only investigate them when a publisher contacts us with a claim of abuse (we do not proactively monitor for unusual activity, although we do take steps like limiting the number of concurrent sessions per user and blacklisting IP addresses/ranges with a history of suspicious activity).
The publisher generally supplies examples of timestamps and URLs that were part of the alleged abuse. We use that information to identify the "abusing" user in the log.
Usually there is pretty clear evidence that the user is not conducting legitimate personal research (e.g. the user is a freshman early childhood education major at the local rural branch campus, but they're downloading thousands of chemistry papers from an IP address in China or Russia). Typically the user does not seem like an information freedom warrior, or even to have a clue what is going on, so it seems most likely the credentials were phished.