17.5 Security Log

17.5.1 What is Security Log?

17.5.2 Events Recorded by the Security Log

17.5.3 Record  Format of Security Log

17.5.4 Configuring Size of  Security Log File

17.5.5 Commands for Security Log Feature

17.5.6 Autonomous Messages for Security Log

17.5.1 What is Security Log?

Security log provides tools to establish an audit trail. If a security breach is suspected, an audit trail may be used to investigate whether/how the breach has occurred.

The security log feature provides adequate capabilities to investigate unauthorized activities after they occur so that proper remedial action can be taken. This feature supports to generate security logs and  reports that help to establish audit trails.

The security log has a circular recording mechanism (i.e., oldest record overwritten by newest when the log file is full), and the administrator  has the capability to retrieve, print, copy, and upload the security log (typically to some OS or some other facility for long-term storage).

17.5.2 Events Recorded by the Security Log

The Security log records the following information or events

1. It will record invalid user authentication attempts and the alarms/alerts generated due to the invalid authentication attempts - EIUA

2. It will record any unauthorized attempt to access resources, data, transactions, and initiate any process. - EURA

3. It will record the details of the changes made in a user's security profiles and attributes. - EUSP

4. It will record the details of changes made in security profiles and attributes associated with a channel or port. - ECSP

5. It will record the details of changes made in access rights associated with resources (i.e., privileges required of a user and a channel/port to access a resource) - ERSP

6. It will record the details of changes made in the NE/NS security configuration - ESCC

7. It will record creation and modification of NE/NS resources performed via standard operations and maintenance procedures. (This does not address creations and modifications carried offline.) - ECMR

17.5.3 Record Format of Security Log

For each recorded event, the record in the security log includes at least the following

1. Date and time of event

2. User identification including associated terminal, port, network address, or communication device

3. Type of event

4. Names of resources accessed

5. Success or failure of the event.

The Security Log record maintains a circular buffer for the log messages. If the number of records is greater than UPSLG , an autonomous message will be sent to administrator.

17.5.4 Configuring Size of  Security Log File

Follow the steps given below to configure the size of the Security Log

1. In the TL1Compiler, choose Project>>Settings from the MenuBar or using the shortcut key CNTRL+SHIFT+S. 

2. A Dialog Box will appear with Settings tree on the left frame of the box. 

3. Choose the node Security from the Settings tree. 
   
   Here you will find the option "Log File Size" using which you can modify the size in Number of Records of the Security Log File. The default size is 60 Records

17.5.5 Commands for Security Log Feature

The following input messages are implemented for the security feature.

1. ALW-LOG-SECU : This command can be used by the administrator to allow or permit the NE/NS to resume recording, in the security log, the events that have been inhibited using the INH-LOG-SECU command.
   e.g. Request: ALW-LOG-SECU:::1::EIUA;

2. INH-LOG-SECU: This command can be used by the administrator to inhibit the NE/NS from recording specified events in the security log. The events specified herein must be from LOGEVENT, i.e., the list of events that are normally recorded in the security log. To annul this inhibition command message and reinstate the normal condition, the command ALLOW-LOG-SECURITY can be used.
   e.g. Request: INH-LOG-SECU:::1::EIUA;

3. RTRV-ATTR-SECULOG:This command is used by an appropriate administrator to retrieve the following attributes associated with the security log:
   i. The list of events that, upon their occurrence, are to be recorded in the securitylog (i.e., events that are specified for logging, if they occur)
   ii.The WARN message
   iii.The value of UPSLG
   
   e.g. Request: RTRV-ATTR-SECULOG:::1:;
   e.g. Response for the request

4. RTRV-AUDIT-SECULOG: This command can be used by the administrator to selectively retrieve various records from the security log (primarily, for audit purposes).
   e.g. Request: RTRV-AUDIT-SECULOG:::4::CID=TCP;
   e.g. Response for the request

RSC, UID and LOGEVENT are the other parameters of the MPB of this command. They can be specified in any order.

5. SET-ATTR-SECULOG:This command can be used by the administrator to set the attributes associated with security-related alarms (e.g., severity of alarm, alarm type, text of the alarm message, type of notification, and routing details).
   e.g Requests:
   i.  SET-ATTR-SECULOG:::1::UPSLG=5;
   ii. SET-ATTR-SECULOG:::1::WARN="Unauthorized access or use may lead to prosecution";

17.5.6 Autonomous Messages for Security Log

Following are the Security Log related Autonomous Messages that are generated by the TL1 Agent. These autonomous messages are sent only to the Administrator users.

1. Security log overflow is 90 percent full: This Autonomous Message will be sent when the security log file is 90 percent of its size full. An example is shown below.

2. Security log overflow is full: This Autonomous Message will be sent when the security log file is completely full. An example is shown below.