Skip to content

Splunk Enterprise must be configured to retain the identity of the original source host or device where the event occurred as part of the log record.

An XCCDF Rule

Description

<VulnDiscussion>In this case the information producer is the device based on IP address or some other identifier of the device producing the information. The source of the record must be bound to the record using cryptographic means. Some events servers allow the administrator to retain only portions of the record sent by devices and hosts. This requirement applies to log aggregation servers with the role of fulfilling the DoD requirement for a central log repository. The syslog, SIEM, or other event servers must retain this information with each log record to support incident investigations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID
SV-251674r879887_rule
Severity
Medium
References
Updated



Remediation - Manual Procedure

Configure Splunk Enterprise to retain the identity of the original source host or device where the event occurred.

Use Splunk Enterprise to modify the props.conf file to include the identity of the original source host or device where the event occurred.