4.2.1.4 Ensure logging is configured

Information

The /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files specifies rules for logging and which files are to be used to log certain classes of messages.

Rationale:

A great deal of important security-related information is sent via rsyslog (e.g., successful and failed su attempts, failed login attempts, root login attempts, etc.).

Solution

Edit the following lines in the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files as appropriate for your environment.
NOTE: The below configuration is shown for example purposes only. Due care should be given to how the organization wish to store log data.

*.emerg :omusrmsg:*

auth,authpriv.* /var/log/secure

mail.* -/var/log/mail

mail.info -/var/log/mail.info

mail.warning -/var/log/mail.warn

mail.err /var/log/mail.err

cron.* /var/log/cron

*.=warning;*.=err -/var/log/warn

*.crit /var/log/warn

*.*;mail.none;news.none -/var/log/messages

local0,local1.* -/var/log/localmessages

local2,local3.* -/var/log/localmessages

local4,local5.* -/var/log/localmessages

local6,local7.* -/var/log/localmessages


Run the following command to reload the rsyslogd configuration:

# systemctl restart rsyslog

See Also

https://workbench.cisecurity.org/files/3636