The DBN-6300 must support centralized management and configuration of the content captured in audit records generated by all DBN-6300 components.
Without the ability to centrally manage the content captured in the log records, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a delayed or incomplete analysis of an attack. Centralized management and storage of log records increases efficiency in maintenance and management of records and facilitates the backup and archiving of those records. The IDPS must be configured to support centralized management and configuration of the content to be captured in audit records generated by all network components. IDPS sensors and consoles must have the capability to support centralized logging. They must be configured to send log messages to centralized, redundant servers and be capable of being remotely configured to change logging parameters (such as facility and severity levels). DB Networks can (and does) use Splunk as the current Security Operations Center (SOC) alert notification mechanism, which is driven off the syslog on the DB Networks DBN-6300.
Configure the DBN-6300 with syslog output to the SIEM. Navigate to the "Admin" tab. Click on the "External Service Settings" button. Enter the centralized event management system IP address and port number. Click on the "Commit" button to start the process.
Verify integration with a network-wide monitoring capability. Obtain the IP address and port number for the centralized event management system (e.g., SIEM) from site personnel. Navigate to the "Admin" tab. Click on the "External Service Settings" button. Verify the IP address and port number for the centralized event management system are implemented. If the DBN-6300 is not configured to send syslog information to a centralized event management system that manages the DBN-6300 network-wide monitoring capability, this is a finding.