4.2.1.4 Ensure rsyslog is configured to send logs to a remote log host (Scored))
Profile Applicability
Level 1 - Server Level 1 - Workstation
Description
The rsyslog
utility supports the ability to send logs it gathers to a remote log host running syslogd(8)
or to receive messages from remote hosts, reducing administrative overhead.
Rationale
Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system.
Audit
Review the /etc/rsyslog.conf
file and verify that logs are sent to a central host (where loghost.example.com is the name of your central log host):
# grep "^*.*[^I][^I]*@" /etc/rsyslog.conf *.* @@loghost.example.com
Remediation
Edit the /etc/rsyslog.conf
file and add the following line (where loghost.example.com is the name of your central log host).
*.* @@loghost.example.com
Run the following command to restart rsyslog
:
# pkill -HUP rsyslogd
References
See the rsyslog.conf(5)
man page for more information.
Notes
The double “at” sign (@@) directs rsyslog
to use TCP to send log messages to the server, which is a more reliable transport mechanism than the default UDP protocol.