|Finding ID||Version||Rule ID||IA Controls||Severity|
|Despite the investment in perimeter defense technologies, enclaves are still faced with detecting, analyzing, and remediating network breaches and exploits that have made it past the network device. An automated incident response infrastructure allows network operations to immediately react to incidents by identifying, analyzing, and mitigating any network device compromise. Incident response teams can perform root cause analysis, determine how the exploit proliferated, and identify all affected nodes, as well as contain and eliminate the threat. The network device assists in the tracking of security incidents by logging detected security events. The audit log and network device application logs capture different types of events. The audit log tracks audit events occurring on the components of the network device. The application log tracks the results of the network device content filtering function. These logs must be aggregated into a centralized server and can be used as part of the organization's security incident tracking and analysis.|
|Cisco IOS XE Router NDM Security Technical Implementation Guide||2019-12-20|
|Check Text ( C-95197r1_chk )|
| The Cisco router is not compliant with this requirement. However, the risk associated with this requirement can be fully mitigated if the router is configured to send logs to a syslog server that can be used to assist in the tracking of security incidents. |
Verify that the router is configured to send logs to a syslog server. The configuration should look similar to the example below:
logging trap notifications
Note: Default for sending log messages to the syslog server is informational (level 6); hence, the command logging trap informational will not be seen in the configuration. Level of log messages sent to the syslog server can be verified using the show logging command.
If the router is not configured to send log messages to a syslog server, this is a finding.
|Fix Text (F-102037r1_fix)|
| Configure the router to send log messages to the syslog server as shown in the example below. |
R4(config)#logging host x.x.x.x
R4(config)#logging trap notifications