Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2082
Views
5
Helpful
1
Replies

How to monitor/configure Firewall to alert admins if log failure occurs

Sparkeyluv
Level 1
Level 1

‎01-07-2020 06:26 AM - edited ‎01-07-2020 09:58 AM

Good morning,

 

I’m doing some research on how to apply/implement STIG V-79449. The Requirement for my organization is to configure the network device to send an alert if its unable to generate or create logs.

 

Any ideas on how this can be done?

Labels:
0 Helpful
1 Reply 1

ngkin2010
Level 7
Level 7

‎01-07-2020 07:33 AM

Hi,

 

Interesting question! I have read the information about V-79449, and it stated that :

 

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process traffic logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Most firewalls use User Datagram Protocol (UDP) to send audit records to the server and cannot tell if the server has received the transmission. Thus, when the event daemon stops working, messages and notifications cannot be sent to the event monitor (e.g., Network Management System [NMS], Security Information and Event Management [SIEM], Syslog) or to the Simple Network Management Protocol (SNMP) server. Another method such as a keep-alive with the central audit server may be required. This requirement applies to each audit data storage repository (i.e., distinct information system component where traffic log records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. Note that CCI-001858 requires that audit failure alerts be in real time; thus, simply sending a log event to the central audit server is not sufficient.

 

So, basically it is telling us that if the audit server (e.g. log server / SIEM ...etc) failed to collect / process the incoming traffic log from ASA, the security staff will not aware of it. 

 

To address this issue, you may consider to change to use TCP instead of UDP on syslog.

 

 

logging host interface_name syslog_ip tcp [/ port ]

But please be aware that, if the syslog_ip (that is the audit server) is unreachable or refusing to TCP syslog connection. ASA will block new connections as a security protection. 

 

You may want to configure fail-open as follow:

 

 

logging permit-hostdown

 

 

At this point, how could the security staff aware if audit server is down or refusing the syslog connection?

 

After you configured the TCP syslog, and when the audit server is down. ASA will generate the below log message:

 

  • %ASA-3-414003: TCP Syslog Server intf: IP_Address/port not responding. New connections are [permitted|denied] based on logging permit-hostdown policy.
  • %ASA-3-414005: TCP Syslog Server intf: IP_Address/port connected, New connections are permitted based on logging permit-hostdown policy
  • %ASA-3-414006: TCP Syslog Server configured and logging queue is full. New connections denied based on logging permit-hostdown policy.

 

The point is, if you have multiple SIEM in your infrastructure. And either one is failed, the another working SIEM could monitor the above syslog message and fire a alert to security guy.

 

 

 

References:

https://www.stigviewer.com/stig/firewall_security_requirements_guide/2018-03-21/finding/V-79449

https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html

https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/monitor_syslog.html

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card