5.2.3 Configure /etc/rsyslog.conf - syslog /var/log/syslog

Information

The /etc/rsyslog.conf file specifies rules for logging and which files are to be used to log certain classes of messages.

Rationale:

A great deal of important security-related information is sent via rsyslog (e.g., successful and failed su attempts, failed login attempts, root login attempts, etc.).

Solution

Edit the following lines in the /etc/rsyslog.conf file as appropriate for your environment:

auth,user.* /var/log/messages
kern.* /var/log/kern.log
daemon.* /var/log/daemon.log
syslog.* /var/log/syslog
lpr,news,uucp,local0,local1,local2,local3,local4,local5,local6.* /var/log/unused.log

Run the following commands:

# Execute the following command to restart rsyslogd
# pkill -HUP rsyslogd

Default Value:

OS Default: No

See Also

https://workbench.cisecurity.org/files/3096

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12, CSCv7|6.3

Plugin: Unix

Control ID: 0285dfb36be889750be117f025b4c3c52e7db38aeacbd2546aa6a1edd76e93ad