Detections
Analytics

4.2.3.2 Ensure logging is configured

Information

The /etc/syslog-ng/syslog-ng.conf file specifies rules for logging and which files are to be used to log certain classes of messages.

Rationale:

A great deal of important security-related information is sent via syslog-ng (e.g., successful and failed su attempts, failed login attempts, root login attempts, etc.).

Solution

Edit the log lines in the /etc/syslog-ng/syslog-ng.conf file as appropriate for your environment:

log { source(src); source(chroots); filter(f_console); destination(console); };
log { source(src); source(chroots); filter(f_console); destination(xconsole); };
log { source(src); source(chroots); filter(f_newscrit); destination(newscrit); };
log { source(src); source(chroots); filter(f_newserr); destination(newserr); };
log { source(src); source(chroots); filter(f_newsnotice); destination(newsnotice); };
log { source(src); source(chroots); filter(f_mailinfo); destination(mailinfo); };
log { source(src); source(chroots); filter(f_mailwarn); destination(mailwarn); };
log { source(src); source(chroots); filter(f_mailerr); destination(mailerr); };
log { source(src); source(chroots); filter(f_mail); destination(mail); };
log { source(src); source(chroots); filter(f_acpid); destination(acpid); flags(final); };
log { source(src); source(chroots); filter(f_acpid_full); destination(devnull); flags(final); };
log { source(src); source(chroots); filter(f_acpid_old); destination(acpid); flags(final); };
log { source(src); source(chroots); filter(f_netmgm); destination(netmgm); flags(final); };
log { source(src); source(chroots); filter(f_local); destination(localmessages); };
log { source(src); source(chroots); filter(f_messages); destination(messages); };
log { source(src); source(chroots); filter(f_iptables); destination(firewall); };
log { source(src); source(chroots); filter(f_warn); destination(warn); };

Run the following command to reload the syslog-ng configuration:

# pkill -HUP syslog-ng

References:

See the syslog-ng man page for more information.

See Also

https://workbench.cisecurity.org/files/2688

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-3, 800-53|AU-12, CSCv7|6.2, CSCv7|6.3

Plugin: Unix

Control ID: 3302ff3a25d78914c6890a50e532406d26cd83262fc887816091d08b9e2a19ff