3.6 Ensure access logs are sent to a remote syslog server

Information

Centralized log management helps ensure logs are forensically sound and are available at a central location for auditing and incident investigation.

Rationale:

A centralized logging solution aggregates logs from multiple systems to ensure logs can be referenced in the event systems are thought to be compromised. Centralized log servers are also often used to correlate logs for potential patterns of attack. If a centralized logging solution is not used and systems (and their logs) are believed to be compromised, then logs may not be permitted to be used as evidence.

Solution

To enable central logging for your access logs, add the below line to your server block in your server configuration file. 192.168.2.1 should be replaced with the location of your central log server. The local logging facility may be changed to any unconfigured facility on your server.

access_log syslog:server=192.168.2.1,facility=local7,tag=nginx,severity=info combined;

Default Value:

Syslog is not set up by default.

See Also

https://workbench.cisecurity.org/benchmarks/17381

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-6(3), CSCv7|6.5

Plugin: Unix

Control ID: e045a7a1d4ba28bde293b650643b3fb962d8f87db4f02d1297c02d9c10ffb0cc