← Back to Microsoft SCOM Security Technical Implementation Guide

V-237431

CAT II (Medium)

The Microsoft SCOM server must back up audit records at least every seven days onto a different system or system component than the system or component being audited.

Rule ID

SV-237431r961863_rule

STIG

Microsoft SCOM Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-000366

Discussion

Protection of log data includes assuring log data is not accidentally lost or deleted. Regularly backing up audit records to a different system or onto separate media than the system being audited helps to assure, in the event of a catastrophic system failure, the audit records will be retained.

Check Content

Determine if the security logs as well as the Operations Manager logs on the SCOM management server are being ingested by a tool such as Splunk, ArcSite, or Azure Log Analytics. 

If no effort is being made to retain log data on the SCOM server, this is a finding.

Fix Text

Establish and implement a process for keeping the Security Log as well as the Operations Manager log. Most DoD enclaves are already running tools such as Splunk or Azure Log Analytics. It is important that these logs be ingested by these tools.