Configuring Security Audit Log Settings - Lexmark C54x Administrator's Manual

Managing devices remotely

Configuring security audit log settings

Note: This setting is available only in advanced‑security devices and in simple‑security devices with color LCD control
panels.
The security audit log lets administrators monitor security‑related events on a device, including failed user
authorization, successful administrator authentication, and Kerberos file uploads to a device. By default, security logs
are stored on the device, but may also be transmitted to a network syslog server for further processing or storage.
We recommend enabling audit in secure environments.
1
From the Embedded Web Server, click Settings > Security > Security Audit Log.
2
Select Enable Audit to activate security audit logging.
3
To use both remote syslog server and internal logging, type the IP address or host name of the Remote Syslog Server.
Then select Enable Remote Syslog to transmit log events to a network syslog server.
Note: Enable Remote Syslog is available only after an IP address or host name is entered.
4
Enter the Remote Syslog Port number used on the destination server. The default value is 514.
5
From the Remote Syslog Method menu, select one of the following:
•
Normal UDP—Send log messages and events using a lower‑priority transmission protocol.
•
Stunnel—If implemented on the destination server.
6
From the Remote Syslog Facility menu, select a facility code for events to be logged to on the destination server.
All events sent from the device are tagged with the same facility code to aid in sorting and filtering by network
monitoring or intrusion detection software.
Note: step 3 on page 30
7
From the "Severity of events to log" menu, select the priority level cutoff (0–7) for logging messages and events.
Note: The highest severity is 0, and the lowest is 7. The selected severity level and anything higher is logged. For
example, if you select 4 ‑ Warning, then severity levels 0–4 are logged.
8
Select Remote Syslog non‑logged events to send all events regardless of severity to the remote server.
9
In the "Admin's e‑mail address" field, type one or more e-mail addresses (separated by commas) to automatically
notify administrators of certain log events. Then select from the following options:
•
E‑mail log cleared alert—Indicates when the Delete Log button is clicked.
• E‑mail log wrapped alert—Indicates when the log becomes full and begins to overwrite the oldest entries.
•
Log full behavior—Provides a drop‑down list with two options:
–
Wrap over oldest entries
–
E‑mail log then delete all entries
•
E‑mail % full alert—Indicates when log storage space reaches a certain percentage of capacity.
• % full alert level (1–99%)—Sets how full the log must be before an alert is triggered.
•
E‑mail log exported alert—Indicates when the log file is exported.
•
E‑mail log settings changed alert—Indicates when the log settings are changed.
•
Log line endings—Sets how the log file terminates the end of each line. Select a line ending option from the
drop‑down menu.
• Digitally sign exports—Adds a digital signature to each exported log file.
through step 6 and step 8 are valid only if Remote Syslog is enabled.
30