4.2.1.2 Ensure logging is configured (Not Scored)

Level 1 - Server 
Level 1 - Workstation

The /etc/rsyslog.conf file specifies rules for logging and which files are to be used to log certain classes of messages.

A great deal of important security-related information is sent via rsyslog (e.g., successful and failed su attempts, failed login attempts, root login attempts, etc.).

Review the contents of the /etc/rsyslog.conf file to ensure appropriate logging is set. In addition, run the following command and verify that the log files are logging information:

# ls -l /var/log/

Edit the following lines in the /etc/rsyslog.conf file as appropriate for your environment:

*.emerg                  :omusrmsg:* 
mail.*                  -/var/log/mail 
mail.info               -/var/log/mail.info 
mail.warning            -/var/log/mail.warn 
mail.err                 /var/log/mail.err 
news.crit               -/var/log/news/news.crit 
news.err                -/var/log/news/news.err 
news.notice             -/var/log/news/news.notice 
*.=warning;*.=err       -/var/log/warn 
*.crit                   /var/log/warn 
*.*;mail.none;news.none -/var/log/messages 
local0,local1.*         -/var/log/localmessages 
local2,local3.*         -/var/log/localmessages 
local4,local5.*         -/var/log/localmessages 
local6,local7.*         -/var/log/localmessages

Run the following command to restart rsyslogd:

# pkill -HUP rsyslogd

See the rsyslog.conf(5) man page for more information.

  • ubuntu1604/4/2/1/2.txt
  • Last modified: 2017/05/03 00:24
  • by Piotr Kłoczewski