Details

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected.

Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).

Solution

Configure the Cisco switch to send critical to emergency log messages to the syslog server as shown in the example below:

4(config)#logging host x.x.x.x
SW4(config)#logging trap critical

Note: The parameter ‘critical’ can replaced with a lesser severity level (i.e., error, warning, notice, informational).

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS_Switch_Y21M07_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Audit and Accountability.This control applies to the following type of system Cisco.

References

• 800-53|AU-5(2)
• CAT|II
• CCI|CCI-001858
• Rule-ID|SV-220600r521267_rule
• STIG-ID|CISC-ND-001000
• STIG-Legacy|SV-110429
• STIG-Legacy|V-101325
• Vuln-ID|V-220600

Source

• Tenable.com/audits