Rule ID
SV-213467r1137890_rule
Version
V5R4
CCIs
CCI-001851
The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stored log data can be used to detect weaknesses in security that enable the network IA team to find and address these weaknesses before breaches can occur. Reviewing these logs, whether before or after a security breach, are important in showing whether someone is an internal employee or an outside threat. A network boundary device is a piece of networking hardware that sits at the edge of a network, controlling the flow of data traffic between the internal network and external networks like the internet. It acts as a gatekeeper, enforcing security policies and protecting the internal network from unauthorized access and malicious attacks. Having a second central log server delivers a defense in depth approach for critical boundary devices.
Verify the network device is configured to send log data to at least one central log server. For boundary devices, verify the network device is configured to send log data to at least two central log servers. If the network device is not configured to send log data to at least one central log server, this is a finding. If the network boundary device is not configured to send log data to at least two central log servers, this is a finding.
Configure the network device to send log data to at least one central log server. Configure the network boundary device to send log data to at least two central log servers.