STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub— A free STIG search and compliance tool·STIGs updated 3 days ago
Powered by Pylon·Privacy·Terms·© 2026 Beacon Cloud Solutions, Inc.
← Back to Riverbed NetIM NDM Security Technical Implementation Guide

V-275482

CAT II (Medium)

The Riverbed NetIM must off-load audit records onto a different system or media than the system being audited.

Rule ID

SV-275482r1147496_rule

STIG

Riverbed NetIM NDM Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-001851

Discussion

Information stored in one location on a disk may be vulnerable to accidental or incidental deletion or alteration. The ability to off-load those files is a common process used while managing information systems.

Check Content

Verify auditing is configured to send events to a central log server by using the following command: 
  
     $ sudo grep -i action(type="omfwd" target="<Syslog Server IP > " port="3514" protocol="tcp"
             action.resumeRetryCount="100"
             queue.type="linkedList" queue.size="10000")

If auditing is configured to send events to a central log server, this is a finding.

Fix Text

Configure "rsyslog.d" service to send NetIM audit logs to central syslog.  

1. Add or modify the following line in the "/etc/rsyslog.d" file: 

     $ sudo nano /etc/rsyslog.d/60-netim.conf

2. Add the following text:

    *.*  action(type="omfwd" target="<Syslog Server IP > " port="3514" protocol="tcp"
             action.resumeRetryCount="100"
             queue.type="linkedList" queue.size="10000")

3. Restart rsyslog service.

     $ sudo service rsyslog restart