The SEL-2740S must be configured to send log data to a Syslog server or collected by another parent OTSDN Controller.

An XCCDF Rule

Description

<VulnDiscussion>Protection of log data includes assuring log data is not accidentally lost or deleted. Regularly backing up audit records to a different system or onto separate media than the system being audited helps to assure, in the event of a catastrophic system failure, the audit records will be retained.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-102383r1_rule
Severity: Medium
References: CCI-001348
Updated: about 1 year ago

To collect logs using the OTSDN controller, do the following:
1. Go to the "Log Settings" page.
2. Select the Primary entry in the Logging table.
3. Click the "Add" icon (A) in the "Log Services" pane.
4. Select Syslog Server (B) from the menu to display a new Syslog Server Log Service box.
5. Click the "Syslog Server" box to display a blue border around the box.6. Enter Settings (1) through (4) in the appropriate boxes.
7. Click "Submit".

Use the OTSDN Controller to Syslog the events to a central Security Information and Event Manager (SIEM).
Option 2
To configure the SEL-2740S to send logs to a syslog server:
1. Go to the configuration object setting page.
2. Select syslog under the log services for the desired switch.
3. Enter the settings desired for the syslog server IP address and severity level to send to this destination.
4. Repeat for amount of desired log servers as the SEL-2740S supports up to three destinations.

To create the flow rule(s) for Syslog traffic:
1. Log in to OTSDN Controller with Permission Level 3.
2. Identify or create the Configuration Port to use for the path to Syslog Server.
3. Identify or create the Configuration Link to use for the path to Syslog Server.

Create the Flow Rule for the SEL-2740S' Syslog traffic:
1. Click "Flow Entries" in Navigation Menu.
2. Click "Add Flow" button.
3. Enter General setting values for "Switch" Enable.  Optional enter General settings for "Table ID", "Priority", "Idle Timeout", and "Hard Timeout".
4. For Syslog traffic, enter appropriate "Match Field" values for "ARP Opcode" (Request or Reply), "ARP Source", "ARP Target", "Communication Service Type (CST) Match", "Ethernet Destination", "Ethernet Source", "Ethernet Type", "InPort", "IP Proto", "IPv4 Destination", "IPv4 Source", "TCP Destination", "TCP Source", "UDP Destination", "UDP Source", "VLAN Priority", and/or "VLAN Virtually ID".
5. Enter appropriate Write-Actions for "Pop VLAN ID", "Push VLAN ID", "Set VLAN ID", "Set VLAN Priority", "Set Queue", "Group by Alias or Value", and/or "Output by Alias or "Value".
6. Click "Submit".

The SEL-2740S must be configured to send log data to a Syslog server or collected by another parent OTSDN Controller.

Description

Remediation - Manual Procedure