8.2.3 Configure /etc/rsyslog.conf - local6,local7.* -/var/log/localmessages

Information

The /etc/rsyslog.conf file specifies rules for logging and which files are to be used to log
certain classes of messages.

*Rationale*

A great deal of important security-related information is sent via rsyslog (e.g., successful
and failed su attempts, failed login attempts, root login attempts, etc.).

Solution

Edit the following lines in the /etc/rsyslog.conf or /etc/rsyslog.d/* file as appropriate for your environment-
*.emerg -omusrmsg-*
mail.* -/var/log/mail
mail.info -/var/log/mail.info
mail.warning -/var/log/mail.warn
mail.err /var/log/mail.err
news.crit -/var/log/news/news.crit
news.err -/var/log/news/news.err
news.notice -/var/log/news/news.notice
*.=warning;*.=err -/var/log/warn
*.crit /var/log/warn
*.*;mail.none;news.none -/var/log/messages
local0,local1.* -/var/log/localmessages
local2,local3.* -/var/log/localmessages
local4,local5.* -/var/log/localmessages
local6,local7.* -/var/log/localmessages
Execute the following command to restart rsyslogd# pkill -HUP rsyslogd

See Also

https://benchmarks.cisecurity.org/tools2/linux/CIS_Ubuntu_12.04_LTS_Server_Benchmark_v1.1.0.pdf