3.1.11 Ensure syslog messages are not suppressed

Information

When logging to Syslog and syslog_sequence_numbers is on, then each message will be prefixed by an increasing sequence number (such as [2]).

Rationale:

Many modern Syslog implementations perform a log optimization and suppress repeated log entries while emitting '--- last message repeated N times ---'. In more modern Syslog implementations, repeated message suppression can be configured (for example, $RepeatedMsgReduction in rsyslog).

Impact:

If disabled, messages sent to Syslog could be suppressed and not logged. While a message is emitted stating that a given message was repeated and suppressed, the timestamp associated with these suppressed messages is lost, potentially damaging the recreation of an incident timeline.

Solution

Execute the following SQL statement(s) to remediate this setting:

postgres=# alter system set syslog_sequence_numbers = 'on';
ALTER SYSTEM
postgres=# select pg_reload_conf();
pg_reload_conf
----------------
t
(1 row)

Default Value:

on

See Also

https://workbench.cisecurity.org/benchmarks/11861

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-4

Plugin: PostgreSQLDB

Control ID: 79a31a35309e73ea859d7604d5a94a5573b92abf57dddc91c167f749b4f73394