SPLK-CL-000110 - In a distributed environment, Splunk Enterprise indexers must be configured to ingest log records from its forwarders.

Information

Log servers (e.g., syslog servers) are often used on network segments to consolidate from the devices and hosts on that network segment. However, this does not achieve compliance with the DoD requirement for a centralized enclave log server.

To comply with this requirement, create a central log server that aggregates multiple log servers, or use another method to ensure log analysis and management is centrally managed and available to enterprise forensics and analysis tools. This server is often called a log aggregator, SIEM, or events server.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

On the forwarders, configure the outputs.conf with the information of the indexer that the data will be sent to for analysis.

On the indexer, configure the inputs.conf file with the information of the forwarders that are sending the data for analysis.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Splunk_Enterprise_8-x_for_Linux_V2R1_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12(1), CAT|II, CCI|CCI-000174, Rule-ID|SV-251664r960873_rule, STIG-ID|SPLK-CL-000110, Vuln-ID|V-251664

Plugin: Splunk

Control ID: f2d9d86f44a05c02ccde314e14773cff9c158a546071179214442d75569496cc