4.2.2.4 Ensure syslog-ng is configured to send logs to a remote log host - destination logserver

Information

Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system

Solution

Edit the /etc/syslog-ng/syslog-ng.conf file and add the following lines (where logfile.example.com is the name of your central log host).
destination logserver { tcp("logfile.example.com" port(514)); };
log { source(src); destination(logserver); };

Run the following command to reload the syslog-ng configuration: # pkill -HUP syslog-ng

See Also

https://workbench.cisecurity.org/files/1863

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-9(2), CSCv6|6.6

Plugin: Unix

Control ID: 416aede3b4464ac3bf1442354e127573dad6edd641f15039049e9666675ca6af