centos7:4:2:2:5

4.2.2.5 Ensure remote syslog-ng messages are only accepted on designated log hosts (Not Scored)

Profile Applicability

Level 1 - Server 
Level 1 - Workstation

Description

By default, syslog-ng does not listen for log messages coming in from remote systems.

Rationale

The guidance in the section ensures that remote log hosts are configured to only accept syslog-ng data from hosts within the specified domain and that those systems that are not designed to be log hosts do not accept any remote syslog-ng messages. This provides protection from spoofed log data and ensures that system administrators are reviewing reasonably complete syslog data in a central location.

Audit

Review the /etc/syslog-ng/syslog-ng.conf file and verify the following lines are configured appropriately on designated log hosts: 

source net{ tcp(); }; 
destination remote { file("/var/log/remote/${FULLHOST}-log"); }; 
log { source(net); destination(remote); };

Remediation

On designated log hosts edit the /etc/syslog-ng/syslog-ng.conf file and configure the following lines are appropriately: 

source net{ tcp(); }; 
destination remote { file("/var/log/remote/${FULLHOST}-log"); }; 
log { source(net); destination(remote); };

On non designated log hosts edit the /etc/syslog-ng/syslog-ng.conf file and remove or edit any sources that accept network sourced log messages.
Run the following command to restart syslog-ng: 

# pkill -HUP syslog-ng

References

See the rsyslog(8) man page for more information.

  • centos7/4/2/2/5.txt
  • Last modified: 2017/05/04 18:22
  • by Piotr Kłoczewski