Detections
Analytics

6.2.3.3 Ensure journald is configured to send logs to rsyslog

Information

Data from systemd-journald may be stored in volatile memory or persisted locally on the server. Utilities exist to accept remote export of systemd-journald logs, however, use of the rsyslog service provides a consistent means of log collection and export.

- IF - rsyslog is the preferred method for capturing logs, all logs of the system should be sent to it for further processing.

Solution

- IF - rsyslog is the preferred method for capturing logs:

Set the following parameter in the [Journal] section in /etc/systemd/journald.conf or a file in /etc/systemd/journald.conf.d/ ending in .conf :

ForwardToSyslog=yes

Example:

#!/usr/bin/env bash

{
 [ ! -d /etc/systemd/journald.conf.d/ ] && mkdir -p /etc/systemd/journald.conf.d/
 if grep -Psq -- '^\h*\[Journal\]' /etc/systemd/journald.conf.d/60-journald.conf; then
 printf '%s\n' "" "ForwardToSyslog=yes" >> /etc/systemd/journald.conf.d/60-journald.conf
 else
 printf '%s\n' "" "[Journal]" "ForwardToSyslog=yes" >> /etc/systemd/journald.conf.d/60-journald.conf
 fi
}

Note: Drop-in configuration files have higher precedence and override the main configuration file. Files in the *.conf.d/ configuration subdirectories are sorted by their filename in lexicographic order, regardless of in which of the subdirectories they reside. When multiple files specify the same option, for options which accept just a single value, the entry in the file sorted last takes precedence, and for options which accept a list of values, entries are collected as they occur in the sorted files.

Run to following command to update the parameters in the service:

Restart systemd-journald.service :

# systemctl reload-or-restart systemd-journald.service

Impact:

- IF - Journald is the preferred method for capturing logs, this section and Recommendation should be skipped and the "Configure Journald" section followed.

See Also

https://workbench.cisecurity.org/benchmarks/24008

Item Details

Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AU-2, 800-53|AU-4, 800-53|AU-6(3), 800-53|AU-7, 800-53|AU-12, 800-53|MP-2, CSCv7|6.2, CSCv7|6.3, CSCv7|6.5

Plugin: Unix

Control ID: 4fc864b61d59d6a7758450d2ac9d2fb0f97584c3397c2a4c72e312321bc3577f