5.1.1.6 Ensure rsyslog is configured to send logs to a remote log host

Information

RSyslog supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralized log management.

Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system.

Solution

Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and add the following line (where loghost.example.com is the name of your central log host). The target directive may either be a fully qualified domain name or an IP address.

*.* action(type="omfwd" target="192.168.2.100" port="514" protocol="tcp"
action.resumeRetryCount="100"
queue.type="LinkedList" queue.size="1000")

Run the following command to reload the rsyslogd configuration:

# systemctl restart rsyslog

See Also

https://workbench.cisecurity.org/benchmarks/15963

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-2, 800-53|AU-7, 800-53|AU-12, CSCv7|6.2, CSCv7|6.3

Plugin: Unix

Control ID: a78a54ab7033ae1e1ca7c227adf23d7d36b524e45eaeb2f81e8060db50d5a194