Information
Logging must be enabled to provide information for investigations of operational and security related events. This information should be logged to a remote syslog server to prevent tampering of the log files by an attacker (in an attempt to remove evidence of malicious activity) in the event that the router is compromised.
Remote syslog server is defined via the 'Syslog' command and that logging is directed to this syslog server via the 'log-id' command.
Log for main, security and change events to local file and syslog server. Detailed logging of all events should be enabled to provide as much information to operational and security groups as possible. Incidents are more easily investigated when detailed information is available. 'Info' is considered the preferable level of logging in most cases.
Solution
Consult the TiMOS/SR-OS Security Best Practices Guide for more information on this topic. The TiMOS/SR-OS Security Best Practices Guide is available from the Nokia/Alcatel-Lucent Customer Support Portal at https://support.alcatel-lucent.com/portal/web/support.