SPLK-CL-000170 - Splunk Enterprise must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) of all audit failure events, such as loss of communications with hosts and devices, or if log records are no longer being received.

Information

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit function and application operation may be adversely affected.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Configure Splunk Enterprise, using the reporting and notification tools, to create a report with notification to the SA and ISSO of any audit failure events, such as loss of communication or logs no longer being collected.

Item Details

Audit Name: DISA STIG Splunk Enterprise 8.x for Linux v2r3 STIG REST API

Category: AUDIT AND ACCOUNTABILITY

Plugin: Splunk

Control ID: 29f6eb3388368357a95023bc7f37871a400cf582b6d36f7351d5e6cb07e010ca

Detections

Analytics

SPLK-CL-000170 - Splunk Enterprise must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) of all audit failure events, such as loss of communications with hosts and devices, or if log records are no longer being received.

Information

Solution

See Also

Item Details