The Ivanti EPMM server must be configured to transfer Ivanti EPMM server logs to another server for storage, analysis, and reporting. Note: Ivanti EPMM server logs include logs of UEM events and logs transferred to the Ivanti EPMM server by UEM agents of managed devices.

An XCCDF Rule

Description

<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. Note: UEM server logs include logs of UEM events and logs transferred to the UEM server by UEM agents of managed devices. Satisfies: FMT_SMF.1.1(2) c.8, FAU_STG_EXT.1.1(1) Reference: PP-MDM-411054</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-251415r1004742_rule
Severity: Medium
References: CCI-001851
Updated: 17 days ago

Complete the following activities to configure the transfer of MobileIron Core 10 server logs:

Configure Splunk for automated log export:

Step 1: Enable Core to turn on the Splunk Forwarder so it can push data to the Splunk Indexer.
To enable the Splunk Forwarder:
1. Log in to System Manager.
2. Go to Settings >> Services.
3. Select "Enable" next to Splunk Forwarder.
4. Click Apply >> OK to save the changes.

Step 2: Add a Splunk Indexer to configure which external Splunk Indexer will receive and manipulate the data from the Splunk Forwarder.

To add a Splunk Indexer:
1. Log in to System Manager.
2. Go to Settings >> Data Export >> Splunk Indexer.
3. Click "Add" to open the Add Splunk Indexer window.
4. Modify the fields, as necessary, in the "Add Splunk Indexer" window. The following fields and descriptions are in the Add Splunk Indexer window:
- Splunk Indexer - Add the IP address of your Splunk Enterprise Server.
- Port - Add port of your Splunk Enterprise Server.
- Enable SSL - Click this check box to enable SSL.
5. Click Apply >> OK to save the changes.

Step 3: Configure Splunk Data to configure which data Splunk Forwarder sends to the Splunk Indexer.

To configure Splunk Data:
1. Log in to System Manager.
2. Go to Settings >> Data Export >> Splunk Data to open the "Data to Index" window.
3. Modify the fields, as necessary.
- Click Show/Hide Advanced Options to further customize which data to send to Splunk.
- Check "Audit Log" at a minimum.
4. Click Apply >> OK.
5. Restart the Splunk Forwarder by disabling it, then enabling it again.
  a. Go to Settings >> Services.
  b. Select Disable next to Splunk Forwarder.
  c. Click Apply >> OK.
  d. Select Enable next to Splunk Forwarder.
6. Click Apply >> OK to save the changes.

Note: Syslog can be used instead of Splunk.

The Ivanti EPMM server must be configured to transfer Ivanti EPMM server logs to another server for storage, analysis, and reporting. Note: Ivanti EPMM server logs include logs of UEM events and logs transferred to the Ivanti EPMM server by UEM agents of managed devices.

Description

Remediation - Manual Procedure