4.2.2.2 Ensure logging is configured (Not Scored)

Level 1 - Server 
Level 1 - Workstation

The /etc/syslog-ng/syslog-ng.conf file specifies rules for logging and which files are to be used to log certain classes of messages.

A great deal of important security-related information is sent via syslog-ng (e.g., successful and failed su attempts, failed login attempts, root login attempts, etc.).

Review the contents of the /etc/syslog-ng/syslog-ng.conf file to ensure appropriate logging is set. In addition, run the following command and ensure that the log files are logging information:

# ls -l /var/log/

Edit the log lines in the /etc/syslog-ng/syslog-ng.conf file as appropriate for your environment:

log { source(src); source(chroots); filter(f_console); destination(console); };
log { source(src); source(chroots); filter(f_console); destination(xconsole); };
log { source(src); source(chroots); filter(f_newscrit); destination(newscrit); };
log { source(src); source(chroots); filter(f_newserr); destination(newserr); };
log { source(src); source(chroots); filter(f_newsnotice); destination(newsnotice); };
log { source(src); source(chroots); filter(f_mailinfo); destination(mailinfo); };
log { source(src); source(chroots); filter(f_mailwarn); destination(mailwarn); };
log { source(src); source(chroots); filter(f_mailerr); destination(mailerr); };
log { source(src); source(chroots); filter(f_mail); destination(mail); };
log { source(src); source(chroots); filter(f_acpid); destination(acpid);
flags(final); };
log { source(src); source(chroots); filter(f_acpid_full); destination(devnull);
flags(final); };
log { source(src); source(chroots); filter(f_acpid_old); destination(acpid);
flags(final); };
log { source(src); source(chroots); filter(f_netmgm); destination(netmgm);
flags(final); };
log { source(src); source(chroots); filter(f_local); destination(localmessages); };
log { source(src); source(chroots); filter(f_messages); destination(messages); };
log { source(src); source(chroots); filter(f_iptables); destination(firewall); };
log { source(src); source(chroots); filter(f_warn); destination(warn); };

Run the following command to restart syslog-ng:

# pkill -HUP syslog-ng

See the syslog-ng man page for more information.

  • ubuntu1604/4/2/2/2.txt
  • Last modified: 2017/05/03 01:12
  • by Piotr Kłoczewski