A useful feature of CBAC is its ability to generate alerts and
audit trails. This makes monitoring and tracking pre-defined security events
much more efficient and effective. The alert and audit trail process works as
follows:
- CBAC generates real-time alerts and audit trails based on events tracked by
the firewall, including illegitimate access attempts, and inbound and outbound
services.
- Enhanced audit trail features use Syslog to track all network transactions,
while recording time stamps, source host, destination host, ports used, and the
total number of transmitted bytes for advanced, session-based reporting.
- Real-time alerts send Syslog error messages to central management consoles
upon detecting suspicious activity.
Note that when using CBAC inspection rules, it is possible to configure
alerts and audit trail information on a per-application protocol basis. For
example, to generate audit trail information for HTTP traffic, simply specify
that in the CBAC rule covering HTTP inspection.
Enabling Alerts and
Audit Trails
To disable CBAC alert messages, which are displayed on the
console, use the ip inspect alert off command in global
configuration mode. To enable CBAC alert messages, use the
no form of this command.
ip inspect
alert-off
no ip inspect
alert-off
To turn on CBAC audit trail messages, which
are displayed on the console after each CBAC session closes, use the
ip inspect audit trail command in global configuration
mode. Use the no form of this command to turn off CBAC
audit trail messages.
ip inspect audit
trail
no ip inspect audit trail
The syntax for the ip inspect audit-trail and the
ip inspect alert-off commands is shown in Figure
.
No other
arguments or keywords are used with either command.