The IDPS sensor event logging function must reduce the likelihood of log record capacity being exceeded.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-34591	SRG-NET-999999-IDPS-00222	SV-45455r1_rule		Low

Description
Event logging is a key function of the IDPS. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. It is imperative the IDPS is configured to allocate enough log record storage capacity that will not become exhausted. Without this capability, the site could lose valuable data needed for investigating security incidents.

Description

Event logging is a key function of the IDPS. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. It is imperative the IDPS is configured to allocate enough log record storage capacity that will not become exhausted. Without this capability, the site could lose valuable data needed for investigating security incidents.

STIG	Date
Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide	2012-11-19

Details

Check Text ( C-42804r1_chk )
Verify a mechanism controlling the spooling of IDPS sensor event log data to a central log server. Verify spooling is configured to move the data from the sensor's event log to the central log before the sensor log capacity is exceeded. If the logging function is not configured to reduce the risk of exceeding log capacity, this is a finding.

Fix Text (F-38852r1_fix)
Configure the sensors to spool the log data before data overflow occurs.