Information
The rsyslog and configuration files specifies rules for logging and which files are to be used to log certain classes of messages.
A great deal of important security-related information is sent via rsyslog (e.g., successful and failed su attempts, failed login attempts, root login attempts, etc.).
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
NOTE: journald or rsyslog was not found to be active. Review benchmark guidance to ensure local compliance.
Solution
Edit the following lines in the configuration file(s) returned by the audit as appropriate for your environment.
Note: The below configuration is shown for example purposes only. Due care should be given to how the organization wishes to store log data.
*.emerg :omusrmsg:*
auth,authpriv.* /var/log/secure
mail.* -/var/log/mail
mail.info -/var/log/mail.info
mail.warning -/var/log/mail.warn
mail.err /var/log/mail.err
cron.* /var/log/cron
*.=warning;*.=err -/var/log/warn
*.crit /var/log/warn
*.*;mail.none;news.none -/var/log/messages
local0,local1.* -/var/log/localmessages
local2,local3.* -/var/log/localmessages
local4,local5.* -/var/log/localmessages
local6,local7.* -/var/log/localmessages
Run the following command to reload the rsyslogd configuration:
# systemctl reload-or-restart rsyslog