The IDPS sensor events log monitoring application or mechanism retrieves events from the sensor before the events log becomes full.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000083-IDPS-000079	SRG-NET-000083-IDPS-000079	SRG-NET-000083-IDPS-000079_rule		Medium

Description
The IDPS logging facility must be configured to reduce the likelihood of log record capacity being exceeded. Events on the sensor are typically stored on a large events log. The log in the sensor is typically very large and can hold several days of logging events under normal conditions. However, the monitoring application must retrieve events from the sensor before the queue becomes full; otherwise the sensor will start overwriting the unread events and valuable information may be lost.

Description

The IDPS logging facility must be configured to reduce the likelihood of log record capacity being exceeded. Events on the sensor are typically stored on a large events log. The log in the sensor is typically very large and can hold several days of logging events under normal conditions. However, the monitoring application must retrieve events from the sensor before the queue becomes full; otherwise the sensor will start overwriting the unread events and valuable information may be lost.

STIG	Date
IDPS Security Requirements Guide (SRG)	2012-03-08

Details

Check Text ( C-43207_chk )
Verify the mechanism controlling the spooling of IDPS data is in place to move the data to the site's management network. If sensors are not configured to spool the events log before a log overflow occurs, this is a finding.

Fix Text (F-43207_fix)
Configure the IDPS sensor to spool the sensor events log before data overflow occurs.