|
|
The logging and notification settings are important from the perspective of keeping up to date on the activities occurring on your networks. Because Policy Enforcement Points (PEPs) provide a choke point in your network, they are also a good place to gather logging information about what is coming into and leaving your networks.
The Configure Logging and Notifications panel enables you to define event filtering rules, which specify which audit records are retained for specific events that transpire within the Cisco Security Manager system or during a network session. In addition, you can define notification rules, which specify notification/alert settings, to keep you and your staff informed of security-related events detected by Cisco Security Manager.
Within Cisco Security Manager, reporting and monitoring are closely related because the information that is processed by the Reporting Subsystem for reports and evaluated by the Policy Monitoring Subsystem depends upon which audit records you select to store in the Policy Database. Two concepts are essential to both of these subsystems:
To start setting up your reporting and monitoring, you must determine the following:
1. Which audit events you want to generate records for so you can define the event filtering rules
2. How and when you want to notify someone on your staff if a particular audit event occurs so that you can define your notification rules
By defining your event filtering and notification rules, you are defining Cisco Security Manager monitoring settings. In this tutorial, we are only going to focus on defining the event filtering rules. For instructions on generating reports and configuring notifications, please refer to the Cisco Policy Manager help system, specifically the collection of topics organized under "Working with Reporting and Monitoring."
You can specify settings that determine whether to retain or discard audit events that are organized into three categories:
However, for this tutorial, we are only interested in limiting the audit events that are retained for the network services that we have used, specifically, ICMP, DNS, HTTP, SMTP, FTP, and Telnet (as well as the Cisco Security Manager-specific services, including PIX Secure Telnet, Cisco Policy Database, Cisco Policy Reporter, and Cisco Policy Monitor). Therefore, we will only make changes to stop retaining the other network services that are identified in the Service Statistics box of the Configure Logging and Notifications panel.
You can specify which audit events are recorded for specific network services, such as HTTP and FTP. We refer to a single setting based on any category as an event filtering rule. The setting of event filtering rules based on service statistics, combined with any other event filtering rules based on event classifications or specific events, identifies the information that is available for on-demand and scheduled reports.
Figure 5-1 depicts the Configure Logging and Notifications panel as it will appear when you complete the procedure defined in this section.
The following procedure describes how to define the event filtering rules that retain only those network service statistics that we have allowed in our security policies.
Step 1 To access the Configure Logging and Notifications panel, click Configure Notifications on the Tools menu.
Result: The Configure Logging and Notifications panel appears in the View pane.
Step 2 To specify that you want to define event filtering rules based on service statistics, click Service Statistics under Select Event Category.
Result: The list of available network services appears under Event Description. Audit events under this category are grouped according to the network service for which they can occur. By specifying event filtering rules for audit events in this category, you determine the availability of audit records that can be used by the reporting agent to generate user-based and network service-based activity reports about the network sessions traversing the PEPs installed on your network.
Step 3 To specify that All IP is the network service for which you want to define the event filtering rule, click All IP in the Event Description list.
Result: The options under Event Disposition become available and can be edited.
This list of services corresponds directly to the list of services under the Network Services branch of the Services tree.
Step 4 To specify that you want Cisco Security Manager to discard the audit record that describes the circumstances that triggered this event, click Discard event under Event Disposition.
For each audit event, you can define one of two rules:
Step 5 To define event filtering rules for each network service listed in the following Note, repeat Steps 3 and 4. Otherwise, continue with Step 6.
Step 6 To apply your changes, click Apply.
Step 7 To accept your changes and close the Configure Logging and Notifications panel, click Close.
Step 8 To save all changes to the Policy Database, click Save on the File menu.
Result: These changes do not affect the generated commands for the PIX Firewall; they apply specifically to the Cisco Security Manager system.
Figure 5-2 depicts the Settings 1 panel as it will appear when you complete the procedure defined in this section.
Because we want to generate detailed reports about the FTP and HTTP services, including the most active sites, we must specify the log level that collects this data. For the PIX Firewall, this log level is debugging.
Step 1 To find the corporate firewall for which you want to specify the log settings, expand the Network Topology tree until you view the Corporate Firewall node in the Navigator pane.
You can expand or collapse the tree structure in one of two ways:
Step 2 To access the shortcut menu, right-click the Corporate Firewall icon for which you want to specify the log settings.
Step 3 To view the Settings panel, point to Properties, and then click Settings 1 on the shortcut menu.
Step 4 To specify that you want to enable logging, verify that the Enable logging check box is selected under Logging.
By default, this option is selected.
Step 5 To specify the log facility number that you want the corporate firewall to use when generating Syslog data streams, select 17 in the Log facility box under Logging.
The log facility is useful when you have a central Syslog monitoring system that needs to distinguish among the various network devices that generate Syslog data streams. This value enables you to specify that the selected PIX Firewall has a log facility value between 16 and 23. This value is included in any Syslog messages that are generated by this PIX Firewall. The default value for this box is 16.
Step 6 To specify the level of Syslog messages that you want the corporate firewall to generate, select debugging in the Log level (trap) box under Logging.
This value identifies the Syslog logging level generated by the PIX Firewall. You can specify one of the following values for this box:
Step 7 To accept your changes and close the Settings 1 panel, click OK.
Step 8 To save any changes that you have made to the Policy Database, click Save on the File menu.
Posted: Wed Aug 18 19:20:04 PDT 1999
Copyright 1989-1999©Cisco Systems Inc.