6.1.3.6 Ensure rsyslog is configured to send logs to a remote log host

Information

rsyslog supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralized log management.

Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system.

Solution

Edit the rsyslog configuration and add the following line (where loghost.example.com is the name of your central log host). The target directive may either be a fully qualified domain name or an IP address.

Example script to create a drop-in configuration file:

#!/usr/bin/env bash

{
a_parameters=('*.* action(type="omfwd" target="loghost.example.com" port="514" protocol="tcp"'
' action.resumeRetryCount="100"' ' queue.type="LinkedList" queue.size="1000")')
[ ! -d "/etc/rsyslog.d/" ] && mkdir /etc/rsyslod.d/
printf '%s
' "" "${a_parameters[@]}" >> /etc/rsyslog.d/60-rsyslog.conf
}

Run the following command to reload rsyslog.service :

# systemctl reload-or-restart rsyslog.service

See Also

https://workbench.cisecurity.org/benchmarks/18960