Rule ID
SV-233324r1113796_rule
Version
V2R4
Having a separate, secure location for log records is essential to the preservation of logs as required by policy. Satisfies: SRG-NET-000492-NAC-002110, SRG-NET-000334-NAC-001350
If DOD is not at C2C Step 1 or higher, this is not a finding. 1. Go to Tools >> Options >> Syslog. 2. Verify a syslog server's IP address is configured. Or 1. Go to Tools >> Options. 2. Navigate to the extended module (e.g., Splunk) that offloads log records to a separate device. 3. Verify the connection is successful. If each Forescout device does not offload log records to a separate device, this is a finding.
Configure Syslog server with TCP, as well as configure Syslog to alert if the communication between the Syslog server and the Forescout appliance loses connectivity. 1. Go to Tools >> Options >> Syslog. 2. Click "Add/Edit". 3. Configure the Syslog: - Navigate to Syslog Server IP address >> Server Port >> Server Protocol set to TCP. - Check the Use TLS setting. - Configure the Identity, Facility, and Severity. 4. Click "Ok". 5. Click "Apply". Or Configure external module (e.g., Splunk) per instructions to send appliance logs from each Forescout appliance to the separate destination.