4.2.2.1.2 Ensure systemd-journal-remote is configured

Information

Journald (via systemd-journal-remote ) supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralised log management.

Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system.

Solution

Edit the /etc/systemd/journal-upload.conf file and ensure the following lines are set per your environment:

URL=192.168.50.42
ServerKeyFile=/etc/ssl/private/journal-upload.pem
ServerCertificateFile=/etc/ssl/certs/journal-upload.pem
TrustedCertificateFile=/etc/ssl/ca/trusted.pem

Restart the service:

# systemctl restart systemd-journal-upload

See Also

https://workbench.cisecurity.org/files/3796