|
|
Before Cisco Secure Policy Manager can study the audit events generated by a Policy Enforcement Point, you must identify which primary or secondary server should receive the syslog data streams. Within Cisco Secure Policy Manager, the Policy Monitor Point plays an important role. It collects the audit event streams from one or more Policy Enforcement Points and combines them into audit records that can be further refined into more meaningful data. The Policy Monitor Point provides this data to the Policy Report Point for administrative reports about network activity. It also combines audit events generated by Cisco Secure Policy Manager components running on primary and secondary servers, which provide status about the security system itself.
For further audit event processing, you can also specify that you want your Policy Enforcement Points to publish syslog data streams to third-party syslog servers. This chapter defines the procedures required to specify the Policy Monitoring Point and/or third-party syslog servers to which a Policy Enforcement Point should publish its syslog data streams.
In addition to identifying the servers to which data streams should be delivered, these settings also guarantee that the security policies required to enable the Cisco Policy Monitor network service, which matches the syslog network service definition, are automatically generated and applied to the Security Policy Enforcement branch.
You can perform the following tasks from the Policy Enforcement Point panel. For step-by-step procedures on performing a specific task, refer to the corresponding section.
From the Policy Enforcement Point panel, you can specify the Policy Monitor Point that is used to monitor the syslog data streams generated by the Policy Enforcement Point, such as a PIX Firewall or IOS Router. This Policy Monitor Point studies the syslog data to derive higher-level audit records, such as session records.
To select the Policy Monitor Point used to monitor Policy Enforcement Point syslog data streams, perform the following task:
Result: The Policy Enforcement Point panel appears in the View pane.
Step 2 To select the host that is running the Policy Monitor Point that you want to use, click that host name in the Policy Monitor box under Logging.
This box displays only those primary and/or secondary servers defined under the Network Topology tree that have a Policy Monitor Point client/server product installed on them.
Step 3 To accept your changes and close the selected panel, click OK.
Step 4 To save any changes that you have made, click Save on the File menu.
From the Policy Enforcement Point panel, you can specify one or more syslog servers, in addition to the Cisco Secure Policy Manager host acting as a Policy Monitor Point, that you can use to provide additional monitoring of the syslog data streams generated by the Policy Enforcement Point.
To select the syslog servers used to monitor Policy Enforcement Point syslog data streams, perform the following task:
Result: The Policy Enforcement Point panel appears in the View pane.
Step 2 To select one or more hosts on which syslog servers are running, click those host names in the Syslog Monitors box under Logging.
This box displays only those hosts defined under the Network Topology tree that have a syslog client/server product installed on them. The host or hosts that you select must have a syslog application capable of processing the data streams. For instructions on installing and configuring these applications, refer to the documentation that came with those products.
Step 3 To accept your changes and close the selected panel, click OK.
Step 4 To save any changes that you have made, click Save on the File menu.
Posted: Fri May 26 15:03:45 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.