DescriptionIndeni will verify that certain syslog servers are configured on a monitored device.
Remediation StepsModify the device's configuration as required.
How does this work?This alert logs into the F5 device through SSH, parses the output of the command "tmsh list sys syslog" to verify that a syslog server has been configured
Why is this important?In case of an successful intrusion attempt it is imperative to be able to trust the log files. In order to be able to do that it is good to have a remote syslog server configured. That way the attacker would have a harder time to hide the tracks. Also, in case of an outage or hardware failure a remote syslog server could be critical in order to find the root cause.
Without Indeni how would you find this?An administrator could could periodically log into the device through SSH, enter TMSH and execute the command "list sys syslog" in order to identify the configured syslog servers.
View Source Code