Rule ID
SV-254864r958758_rule
Version
V2R2
CCIs
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).
1. Access the TanOS interactively. 2. Press "A" for "Appliance Configuration Menu," and then press "Enter". 3. Press "4" for "Syslog Configuration," and then press "Enter". 4. Press "1" for "Check current status," and then press "Enter". If the syslog status page states "No existing TanOS syslog forwarding configuration found" this is a finding. If the syslog status page states "Syslog forwarding configuration" and the SIEM administrator verifies SIEM is receiving the events correctly and generating notifications for audit failure events, this is not a finding.
1. Access the TanOS interactively. 2. Press "A" for "Appliance Configuration Menu," and then press "Enter". 3. Press "4" for "Syslog Configuration," and then press "Enter". 4. Press "5" for "Configure syslog forwarding," and then press "Enter". 5. Enter the destination host (IP address or hostname) provided by the SIEM administrator, and then press "Enter". 6. Enter the destination port number and press "Enter". 7. If TLS is required for this syslog destination, enter "Yes", otherwise enter "No", and press "Enter". 8. Enter the destination protocol, "udp" or "tcp", and press "Enter". 9. Work with the SIEM administrator to validate events are being received, and to configure notifications for audit failure events.