6.2.3.3 Ensure journald is configured to send logs to rsyslog

Information

Data from systemd-journald may be stored in volatile memory or persisted locally on the server. Utilities exist to accept remote export of systemd-journald logs, however, use of the rsyslog service provides a consistent means of log collection and export.

- IF - rsyslog is the preferred method for capturing logs, all logs of the system should be sent to it for further processing.

Solution

- IF - rsyslog is the preferred method for capturing logs:

Set the following parameter in the [Journal] section in /etc/systemd/journald.conf or a file in /etc/systemd/journald.conf.d/ ending inconf :

ForwardToSyslog=yes

Example:

#!/usr/bin/env bash

{
[ ! -d /etc/systemd/journald.conf.d/ ] && mkdir /etc/systemd/journald.conf.d/
if grep -Psq -- '^h*[Journal]' /etc/systemd/journald.conf.d/60-journald.conf; then
printf '%s
' "ForwardToSyslog=yes" >> /etc/systemd/journald.conf.d/60-journald.conf
else
printf '%s
' "[Journal]" "ForwardToSyslog=yes" >> /etc/systemd/journald.conf.d/60-journald.conf
fi
}

Note: If this setting appears in a canonically later file, or later in the same file, the setting will be overwritten

Run to following command to update the parameters in the service:

Restart systemd-journald.service :

# systemctl reload-or-restart systemd-journald.service

Impact:

- IF - Journald is the preferred method for capturing logs, this section and Recommendation should be skipped and the "Configure Journald" section followed.

See Also

https://workbench.cisecurity.org/benchmarks/18211