Time stamps recorded on the log records in the Central Log Server must be configured to synchronize to within one second of the host server or, if NTP is configured directly in the log server, the NTP server must be the same as the host and devices within its scope of coverage.

From Central Log Server Security Requirements Guide

Part of SRG-APP-000086-AU-000030

Associated with: CCI-000174

SRG-APP-000086-AU-000030_rule Time stamps recorded on the log records in the Central Log Server must be configured to synchronize to within one second of the host server or, if NTP is configured directly in the log server, the NTP server must be the same as the host and devices within its scope of coverage.

Vulnerability discussion

If the application is not configured to collate records based on the time when the events occurred, the ability to perform forensic analysis and investigations across multiple components is significantly degraded.Log records are time correlated if the time stamps in the individual log records can be reliably related to the time stamps in other log records to achieve a time ordering of the records within an organization-defined level of tolerance.This requirement applies only to applications that compile system-wide log records for multiple systems or system components.

Check content

Examine the time stamp that indicates when the Central Log Server received the log records. Verify the time is synchronized to within one second of the host server. If NTP is configured within the Central Log Server application, verify it is configured to use the same NTP server as the host and devices within its scope of coverage. If time stamps recorded on the log records in the he Central Log Server are not configured to synchronize to within one second of the host server or the log server application is not configured to use the same time NTP server as the host and devices within its scope of coverage, this is a finding.

Fix text

Configure the Central Log Server such that time stamps on the log records are synchronized to within one second of the host server. If NTP is configured within the Central Log Server application, verify it is configured to use the same NTP server as the host and devices within its scope of coverage.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer