8.2.3 Configure /etc/rsyslog.conf - 'mail.err /var/log/mail.err'

Information

The /etc/rsyslog.conf file specifies rules for logging and which files are to be used to log certain classes of messages. A great deal of important security-related information is sent via rsyslog (e.g., successful and failed su attempts, failed login attempts, root login attempts, etc.).

Solution

Edit the following lines in the /etc/rsyslog.conf or /etc/rsyslog.d/* file as appropriate for yourenvironment- *.emerg -omusrmsg-*mail.* -/var/log/mailmail.info -/var/log/mail.infomail.warning -/var/log/mail.warnmail.err /var/log/mail.errnews.crit -/var/log/news/news.critnews.err -/var/log/news/news.errnews.notice -/var/log/news/news.notice*.=warning;*.=err -/var/log/warn*.crit /var/log/warn*.*;mail.none;news.none -/var/log/messageslocal0,local1.* -/var/log/localmessageslocal2,local3.* -/var/log/localmessageslocal4,local5.* -/var/log/localmessageslocal6,local7.* -/var/log/localmessages Execute the following command to restart rsyslogd # pkill -HUP rsyslogd

See Also

https://workbench.cisecurity.org/files/85

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-9(2)

Plugin: Unix

Control ID: 9d868660a785071076a3ca5301234bb0926f5522aae3d50aad566ca079ffeb9a