For application servers providing log record aggregation, the application server must compile log records from organization-defined information system components into a system-wide log trail that is time-correlated with an organization-defined level of tolerance for the relationship between time stamps of individual records in the log trail.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35139	SRG-APP-000086-AS-000048	SV-46426r3_rule		Medium

Description
Log generation and log records can be generated from various components within the application server. The list of logged events is the set of events for which logs are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating log records (e.g., logable events, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked). The events occurring must be time-correlated in order to conduct accurate forensic analysis. In addition, the correlation must meet certain tolerance criteria. For instance, DoD may define that the time stamps of different logged events must not differ by any amount greater than ten seconds. It is also acceptable for the application server to utilize an external logging tool that provides this capability.

Description

Log generation and log records can be generated from various components within the application server. The list of logged events is the set of events for which logs are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating log records (e.g., logable events, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked). The events occurring must be time-correlated in order to conduct accurate forensic analysis. In addition, the correlation must meet certain tolerance criteria. For instance, DoD may define that the time stamps of different logged events must not differ by any amount greater than ten seconds. It is also acceptable for the application server to utilize an external logging tool that provides this capability.

STIG	Date
Application Server Security Requirements Guide	2019-01-07

Details

Check Text ( C-43526r2_chk )
Review the application server log feature configuration to determine if the application server or an external logging tool in conjunction with the application server does compile log records from multiple components within the server into a system-wide log trail that is time-correlated with an organization-defined level of tolerance for the relationship between time stamps of individual records in the log trail. If the application server does not meet this requirement, this is a finding.

Check Text ( C-43526r2_chk )

Review the application server log feature configuration to determine if the application server or an external logging tool in conjunction with the application server does compile log records from multiple components within the server into a system-wide log trail that is time-correlated with an organization-defined level of tolerance for the relationship between time stamps of individual records in the log trail.

If the application server does not meet this requirement, this is a finding.

Fix Text (F-39690r2_fix)
Configure the application server or an external logging tool supporting the application server to compile log records from multiple components within the server into a system-wide log trail that is time-correlated with an organization-defined level of tolerance for the relationship between time stamps of individual records in the log trail.