This section outlines audit logging guidance for Cisco NCS 1010. Use it to apply the required recommendation when you configure, monitor, or maintain audit logging and monitoring.
Granularity of audit rules
-
You can enable or disable audit rules only at the group level, not individually within a group.
-
Regularly review the status of audit rules and audit log forwarding to ensure monitoring remains effective.
Resource usage on NCS 1010
Use caution when enabling all rule groups, especially those that monitor frequent events, as this may increase CPU, memory, or disk usage. Enable only the groups required for compliance or security needs.
Security of audit logs and syslog servers
-
Allow only users with appropriate administrative privileges to configure or view Linux security audit settings.
-
Protect access to audit logs and syslog servers to prevent unauthorized access or tampering.
Log forwarding to remote syslog servers
-
Confirm that the remote syslog server is reachable and properly configured before enabling log forwarding.
-
NCS 1010 forwards audit logs to remote syslog servers in unencrypted plain text. Use only trusted network segments for remote syslog servers.