Centralized Security Logging Infrastructure (CSLI)

CSLI requirements

CSLI appliance will run on ESXi 5.0 or later (could be converted to run under VMWare Workstation/Player)

CSLI Minimal requirements are: 1 vCPU and 2 GB of RAM

CSLI preconfiguration

Login to the VM console: User:root; Password:csli
Change the IP parameters (address, netmask, gateway and DNS settings) of the eth0 interface: vi /etc/network/interfaces
Change the host name: vi /etc/hosts; vi /etc/hostname
Change the timezone (default TimeZone is EST): dpkg-reconfigure tzdata
Change the timezone for CSLI: vi /var/www/html/config/config.php
Allow CSLI instance to access the NTP servers through your Firewall (instance is configured to work with rhel.pool.ntp.org) OR alternatively point ntp.conf to your local NTP server: vi /etc/ntp.conf
Allow CSLI instance to access the WHOIS servers through your Firewall (port tcp 43). Destinations are defined in the phpwhois project (http://sourceforge.net/projects/phpwhois/)
Reboot the VM instance: reboot

CSLI devices configuration

ASA devices (local4 is default for ASA devices): logging enable; logging timestamp; logging buffered warnings; logging trap warnings; logging host YOUR_INSIDE_INTERFACE CSLI_IP_ADDRESS (Example: logging host INSIDE 192.168.80.200)
IOS devices (local7 is default for IOS devices): service timestamps debug datetime msec localtime show-timezone; service timestamps log datetime localtime year; logging source-interface YOUR_INTERNAL_INTERFACE; logging CSLI_IP_ADDRESS
SRX devices (local6 is default for SRX devices): set system syslog user * any emergency; set system syslog host CSLI_IP_ADDRESS any any; set system syslog host CSLI_IP_ADDRESS match RT_FLOW_SESSION; set system syslog host CSLI_IP_ADDRESS facility-override local6; set system syslog host CSLI_IP_ADDRESS source-address YOUR_INTERNAL_INTERFACE

CSLI instance configuration

Define the monitored devices in the Web GUI "Devices" to enable the filter option: http://csli/devices.php
Complete the e-mail properties in the Web GUI "Options->Global Settings" to enable e-mail notifications (Critical Alerts): http://csli/gsettings.php
Define the active Tracker, Audit and VPN DB threshold for better performance in the Web GUI "Options->Global Settings": http://csli/gsettings.php

Security Note

There are no authentication or access control mechanisms in CSLI. It is assumed, that an existing authentication approach will be utilized for CSLI (basic or LDAP authentication could be configured for Apache) as well as host level security for proper IP addresses filtering.