IDPS audit events must be transmitted to the organizations central audit log server.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-34547	SRG-NET-000081-IDPS-00066	SV-45389r1_rule		Low

Description
The organization must centrally manage the content of audit records generated by organizationally defined IDPS components. Centrally managing audit data captured by the central management console and sensors provides for easier management of these events and is an effective facility for monitoring and the automatic generation of alert notification. The repository of audit data can facilitate troubleshooting when problems are encountered and can assist in performing root cause analysis. A repository of audit data can also be correlated in real time to identify suspicious behavior or be archived for review at a later time for research and analysis. Without the ability to centrally manage events, troubleshooting and correlation of suspicious behavior will be difficult and may lead to or prolong the attack. To support the auditing requirement, the IDPS account and audit management functions must be configured to transmit the audit events to the site's central audit server (e.g., SYSLOG server).

Description

The organization must centrally manage the content of audit records generated by organizationally defined IDPS components. Centrally managing audit data captured by the central management console and sensors provides for easier management of these events and is an effective facility for monitoring and the automatic generation of alert notification. The repository of audit data can facilitate troubleshooting when problems are encountered and can assist in performing root cause analysis. A repository of audit data can also be correlated in real time to identify suspicious behavior or be archived for review at a later time for research and analysis. Without the ability to centrally manage events, troubleshooting and correlation of suspicious behavior will be difficult and may lead to or prolong the attack. To support the auditing requirement, the IDPS account and audit management functions must be configured to transmit the audit events to the site's central audit server (e.g., SYSLOG server).

STIG	Date
Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide	2012-11-19

Details

Check Text ( C-42738r1_chk )
Examine the audit log configuration on the IDPS components (including the sensors). Verify the IDPS components are configured to send audit events to the organization's central audit log server. If the IDPS components are not configured to send audit events to the organization's central audit log server, this is a finding.

Fix Text (F-38786r1_fix)
Configure the IDPS components, to ensure audit events are transmitted to the organizations central audit log server (e.g., SYSLOG server).