Rule ID
SV-215692r991831_rule
Version
V3R7
CCIs
CCI-001858, CCI-003831
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).
Review the Cisco router configuration to verify that it is compliant with this requirement as shown in the example below. logging trap critical Note: The parameter "critical" can replaced with a lesser severity level (i.e., error, warning, notice, informational). Informational is the default severity level; hence, if the severity level is configured to informational, the logging trap command will not be shown in the configuration. If the Cisco router is not configured to generate an alert for all audit failure events, this is a finding.
Configure the Cisco router to send critical to emergency log messages to the syslog server as shown in the example below. R4(config)#logging trap critical Note: The parameter "critical" can replaced with a lesser severity level (i.e., error, warning, notice, informational).