Logging Network Activity and Generating Notifications

Table 1-1: Checklist for Defining Audit Event Rules

	Step	Reference
	1. Define the audit event filtering rules that Cisco Secure Policy Manager should retain You can define audit events on the basis of three categories: Event Classifications. Audit events in this category are grouped according to general status and severity. The priority color identifies the severity of audit events, where red is severe, yellow is important, and green is normal. By defining audit record generation rules for audit events under this category, you determine the availability of audit records that can be used by the Policy Report Point to generate warning and system status reports.	"Defining Event Filtering Rules based on Event Classifications" section "Defining Event Filtering Rules based on Specific Events" section "Defining Event Filtering Rules based on Service Statistics" section
	Specific Events. Audit events under this category identify individual events regarding the state of the agents and components that compose the Cisco Secure Policy Manager system, as well as the state of Cisco Secure Policy Manager servers and Policy Enforcement Points installed on your network. By defining audit record generation rules for audit events in this category, you determine the availability of audit records that can be used by the Policy Report Point to generate warning and system status reports. Service Statistics. Audit events under this category are grouped according to the network service in which they can occur. By defining audit record generation rules for audit events in this category, you determine the availability of audit records that can be used by the Policy Report Point to generate detailed user and network service reports about the network activity traversing the Policy Enforcement Points installed on your network. Result: Cisco Secure Policy Manager detects and logs the audit events in which you are interested.
	2. Select the Cisco Secure Policy Manager host that will monitor each Policy Enforcement Point syslog stream Within Cisco Secure Policy Manager, the Policy Monitor Point plays an important role. It collects the audit event streams from one or more Policy Enforcement Points and combines them into audit records that can be further refined into more meaningful data. The Policy Monitor Point provides this data to the Policy Report Point for administrative reports about network activity. It also combines audit events generated by Cisco Secure Policy Manager components running on primary and secondary servers, which provide status about the security system itself. Result: The Policy Enforcement Points direct all syslog streams to the Policy Monitor Point so that Cisco Secure Policy Manager can detect the audit events that you selected in Step 1.	"Selecting the Policy Monitor Point Associated with a Policy Enforcement Point" section "Selecting the Syslog Servers Associated with a Policy Enforcement Point" section
	3. Specify the syslog settings that each Policy Enforcement Point must generate to ensure that the selected audit events can be detected To generate meaningful reports or notifications about the network activity of a Policy Enforcement Point, you must select the appropriate log level that generates the syslog details required to track session-specific data and device-specific events. To select the appropriate log level, study the audit events that you want Cisco Secure Policy Manager to retain, and then study the documentation provided with your Policy Enforcement Point to determine the minimum log level required to generate all those audit events. Result: The Policy Enforcement Points generate the correct level of syslog messages to ensure that the audit events selected in Step 1 can be detected by the Policy Monitor Point(s) identified in Step 2.	"Specifying Log Settings for PIX Firewall Activity" section "Specifying Log Settings for IOS Router Node Activity" section
	4. Save configuration settings and publish the device-specific command sets to the Policy Enforcement Points. Result: You perform a Save and Update operation and distribute the generated commands to the affected Policy Enforcement Points.	"Command Generation, Verification, and Publication Checklist" section in Cisco Secure Policy Manager Administrator's Guide: Policy Definition

The checklist below outlines the steps required to understand the decision-making process and basic flow required to complete the definition of your notification rules. Each step, described in the Step column, may contain several sub-steps and should be performed in the order presented. References to the specific procedures used to perform each step appear in the Reference column.

Table 1-2: Checklist for Defining Notification Rules

	Step	Reference
	1. Define the notification rules Cisco Secure Policy Manager can generate notifications based on audit event classifications and specific events. However, you cannot generate notifications based on network service activities. To define a notification rule, you must specify the audit event, the notification method, and the configuration settings for that method, including the threshold and message definitions. Result: The notification rules that you want to enforce are specified within Cisco Secure Policy Manager.	"Defining Notification Rules" section
	2. Verify that the audit event is generated To verify that the audit events are generated, you must ensure that the Policy Enforcement Points on your network log the appropriate level of syslog messages to generate the specific audit events on which the notifications rules are based. To select the appropriate log level, study the audit events that you want Cisco Secure Policy Manager to retain (based on both the Log event and Log event and issue notification settings), and then study the documentation provided with your Policy Enforcement Point to determine the minimum log level required to generate all those audit events. Result: The Policy Enforcement Points generate the correct level of syslog messages to ensure that the audit events selected in Step 1 can be detected by the Policy Monitor Point(s) identified in Step 3.	"Specifying Log Settings for PIX Firewall Activity" section "Specifying Log Settings for IOS Router Node Activity" section
	3. Verify that the audit event can be detected To verify that the audit events on which the notification rules are based can be detected, you must verify that the syslog data streams are studied by a Cisco Secure Policy Manager host that is running the Policy Monitor Point feature set.	"Selecting the Policy Monitor Point Associated with a Policy Enforcement Point" section
	Result: The Policy Enforcement Points direct all syslog streams to the Policy Monitor Point so that Cisco Secure Policy Manager can detect the audit events on which the notification rules that you selected in Step 1 are based.
	4. Verify that the notification method is supported For each Cisco Secure Policy Manager host that is responsible for detecting the audit event on which notification rules are defined, you must verify that the host can generate the specific notification type. Four notification methods exist: Popup. By default this notification method is supported. You do not need to perform any additional configuration to enable this notification method. However, you can use the View notifications panel to refine the definition of this method. E-Mail. By selecting this option, you specify that Cisco Secure Policy Manager should send an e-mail to the specified recipients each time a notification is generated for the selected audit event. Pager. For pager notifications to work properly, you must have a modem installed on each primary and secondary server that has an operating Policy Monitor Point due to MAPI constraints. By installing and configuring a modem, you automatically configure the Microsoft Telephony API (TAPI) settings that Cisco Secure Policy Manager uses to deliver pager-based notifications. Script. When you specify the location for a script file, you must define the full path. In addition, any primary or secondary server that is operating as a Policy Monitor Point for a Policy Enforcement Point that can generate such a notification must have the specified script file installed in the exact same location on that server. Result: Each Policy Monitor Point is configured to generate the desired notification methods.	"Refining Notification Settings" section "Configuring a TAPI Client" section in Cisco Secure Policy Manager Administrator's Guide: System Configuration and Maintenance "Creating a MAPI Profile" section in Cisco Secure Policy Manager Administrator's Guide: System Configuration and Maintenance
	5. Save configuration settings and publish the device-specific command sets to the Policy Enforcement Points. Result: You perform a Save and Update operation and distribute the generated commands to the affected Policy Enforcement Points.	"Command Generation, Verification, and Publication Checklist" section in Cisco Secure Policy Manager Administrator's Guide: Policy Definition