4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host (Scored))

Level 1 - Server 
Level 1 - Workstation

The rsyslog utility supports the ability to send logs it gathers to a remote log host running syslogd(8) or to receive messages from remote hosts, reducing administrative overhead.

Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system.

Review the /etc/rsyslog.conf file and verify that logs are sent to a central host (where loghost.example.com is the name of your central log host):

# grep "^*.*[^I][^I]*@" /etc/rsyslog.conf 
*.* @@loghost.example.com

Edit the /etc/rsyslog.conf file and add the following line (where loghost.example.com is the name of your central log host).

*.* @@loghost.example.com

Run the following command to restart rsyslog:

# pkill -HUP rsyslogd

See the rsyslog.conf(5) man page for more information.

The double “at” sign (@@) directs rsyslog to use TCP to send log messages to the server, which is a more reliable transport mechanism than the default UDP protocol.