6.2.3.6 Ensure rsyslog is configured to send logs to a remote log host

Information

rsyslog supports the ability to send log events it gathers to a remote log host or to receive messages from remote hosts, thus enabling centralized log management.

Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system.

Note: This recommendation only applies if rsyslog is the chosen method for client side logging. Do not apply this recommendation if systemd-journald is used.

Solution

Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and add the following line (where loghost.example.com is the name of your central log host). The target directive may either be a fully qualified domain name or an IP address.

Example:

*.* action(type="omfwd" target="loghost.example.com" port="514" protocol="tcp"
action.resumeRetryCount="100"
queue.type="LinkedList" queue.size="1000")

Run the following command to reload rsyslog.service :

# systemctl reload-or-restart rsyslog.service

See Also

https://workbench.cisecurity.org/benchmarks/18209

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-2, 800-53|AU-7, 800-53|AU-12, CSCv7|6.2, CSCv7|6.3

Plugin: Unix

Control ID: 2dbc63a7edf188324a34327ffe84246affb83f8b583b54167f05da0430392cff