RFC 3871           Operational Security Requirements      September 2004

2.11.2.  Logs Sent To Remote Servers

   Requirement.

      The device MUST support transmission of records of security

      related events to one or more remote devices.  There MUST be

      configuration settings on the device that allow selection of

      servers.

   Justification.

      This is important because it supports individual accountability.

      It is important to store them on a separate server to preserve

      them in case of failure or compromise of the managed device.

   Examples.

      This requirement may be satisfied by the use of one or more of:

      syslog [RFC3164], syslog with reliable delivery [RFC3195], TACACS+

      [RFC1492] or RADIUS [RFC2865].

   Warnings.

      Note that there may be privacy or legal considerations when

      logging/monitoring user activity.

      High volumes of logging may generate excessive network traffic

      and/or compete for scarce memory and CPU resources on the device.

2.11.3.  Ability to Select Reliable Delivery

   Requirement.

      It SHOULD be possible to select reliable delivery of log messages.

   Justification.

      Reliable delivery is important to the extent that log data is

      depended upon to make operational decisions and forensic analysis.

      Without reliable delivery, log data becomes a collection of hints.

   Examples.

      One example of reliable syslog delivery is defined in [RFC3195].

      Syslog ng provides another example, although the protocol has not

      been standardized.

Jones                        Informational                     [Page 49]