The FortiGate device must off-load audit records on to a different system or media than the system being audited.

An XCCDF Rule

Description

<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-234181r879886_rule
Severity: Medium
References: CCI-001851
Updated: about 1 year ago

Login via the GUI with super-admin privileges.

1. Click Log and Report.
2. Click Log Settings.

To add a FortiAnalyzer:- In the Remote Logging and Archiving, enable logging to FortiAnalyzer and provide the IP address.

To add a Syslog server:
- In the Remote Logging and Archiving, enable Send logs to Syslog and provide the IP address.

3. Apply changes.

or

1. Open a CLI console via SSH or from the "CLI Console" button in the GUI.

2. Configure a fortianalyzer or syslog server with the following commands:

FortiAnalyzer:
# config log fortianalyzer setting
#    set status enable
#    set server {IP Address}
#    set upload-option realtime
# end

Syslog:
# config log syslogd setting
#    set status enable
#    set server {IP Address}
#    set mode reliable
# end

The FortiGate device must off-load audit records on to a different system or media than the system being audited.

Description

Remediation - Manual Procedure