Free DISA STIG and SRG Library | Vaulted

V-81107

The Central Log Server must be configured to aggregate log records from organization-defined devices and hosts within its scope of coverage.

Finding ID
SRG-APP-000086-AU-000020
Rule ID
SV-95821r1_rule
Severity
Cat III
CCE
(None)
Group Title
SRG-APP-000086-AU-000020
CCI
CCI-000174
Target Key
(None)
Documentable
No
Discussion

If the application is not configured to collate records based on the time when the events occurred, the ability to perform forensic analysis and investigations across multiple components is significantly degraded. Centralized log aggregation must also include logs from databases and servers (e.g., Windows) that do not natively send logs using the syslog protocol.

Fix Text

For each log server, configure the server to aggregate log records from organization-defined devices and hosts within its scope of coverage.

Check Content

Examine the documentation that lists the scope of coverage for the specific log server being reviewed. Verify the system is configured to aggregate log records from organization-defined devices and hosts within its scope of coverage. If the Central Log Server is not configured to aggregate log records from organization-defined devices and hosts within its scope of coverage, this is a finding.