6.12.1 Ensure External SYSLOG Host is Set with Any Facility and Informational Severity

Information

Logging data must be sent to at least one external SYSLOG server.

Rationale:

Log information from a JUNOS Device can be vital in detecting an attack and to allow incidents to be analyzed, investigated and (where appropriate) prosecuted. SYSLOG information is also helpful in diagnosing and resolving non-security related operational issues on the network.

Because of this, one of the first tasks an attacker will attempt to accomplish after gaining access to a Network Device is to alter or delete logs to cover their tracks.

To prevent an attacker or a fault denying you access to log data, it is vital to send logs to at least one External Logging and/or SIEM (Security Incident and Event Manager) Server. JUNOS Devices use the industry standard SYSLOG protocol for this.

SYSLOG entries are generated by a range of sources on a JUNOS Device, such as authorization which reports Authentication and Authorization events or PFE for events encountered by the Packet Forwarding Engine. Each of these sources are referred to as a Facility.

In addition to indicating what facility generated a log message, JUNOS SYSLOG also indicates and allows the administrator to filter based on the Severity Level for each message. There are eight possible levels, which are as follows:

Emergency (0)

Alert (1)

Critical (2)

Error (3)

Warning (4)

Notice (5)

Informational (6)

Any (7) (called Debug on many SYSLOG systems)

Each increase in level represents an increase in the detail and number of log messages created. Each level includes the messages from all preceding levels, so Critical includes all messages from both the Alert and Emergency levels.

To ensure that vital messages about the Health and Security of the JUNOS Device are not missed, or lost should an attacker delete local logs, at least one External SYSLOG or SIEM Server should be configured to receive log messages from any Facility and at least info Severity.

Impact:

Network Devices, particularly Firewalls, can generate a significant volumes of log data, it is essential that the target SYSLOG server is suitably resourced to handle the expected volume of messages and it is strongly recommended that robust archiving and retention processes be employed.

Solution

SYSLOG data is recorded locally by default, you can configure external SYSLOG servers by issuing the following command from the [edit system syslog] hierarchy;

[edit system syslog]
user@host#set host <Server> any <Severity>

Where:

<Server> is the IP Address or Fully Qualified Domain Name of the Remote Syslog Server

<Severity> should be either any or info

Some SYSLOG or SIEM Servers may require additional configuration items such as explicit-priority or structured-data options to be configured.
It is possible to filter SYSLOG messages to be forwarded to the host using a match or match-string condition. This should not be set for the device's the Remote SYSLOG Host/s configured in meeting this Recommendation.

Default Value:

Log messages are not sent to remote hosts by default, but are stored locally in files in the /var/log/ folder.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-9(2), CSCv7|6.5

Plugin: Juniper

Control ID: ce0ed78c62e2e2066526f180d53fd9b2c7b9f06fec9cc6a3080141cc13ffc7d5