4.2.2.5 Ensure remote syslog-ng messages are only accepted on designated log hosts

Information

By default, syslog-ng does not listen for log messages coming in from remote systems.

Rationale:

The guidance in the section ensures that remote log hosts are configured to only accept syslog-ng data from hosts within the specified domain and that those systems that are not designed to be log hosts do not accept any remote syslog-ng messages. This provides protection from spoofed log data and ensures that system administrators are reviewing reasonably complete syslog data in a central location.

Solution

On designated log hosts edit the /etc/syslog-ng/syslog-ng.conf file and configure the following lines are appropriately:

source net{ tcp(); };
destination remote { file('/var/log/remote/${FULLHOST}-log'); };
log { source(net); destination(remote); };

On non designated log hosts edit the /etc/syslog-ng/syslog-ng.conf file and remove or edit any sources that accept network sourced log messages.
Run the following command to reload the syslog-ng configuration:

# pkill -HUP syslog-ng

See Also

https://workbench.cisecurity.org/files/3399

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-1, 800-53|AU-2, 800-53|AU-6(3), CSCv7|9.2

Plugin: Unix

Control ID: 8ceff76f0f060a1ab35725a6f0a381ec40d41604ef86f285cbb2f55d6ce1c6e2