Ensure rsyslog imudp and imrelp aren't loaded.


The operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.


Unintentionally running a rsyslog server accepting remote messages puts the system at increased risk. Malicious rsyslog messages sent to the server could exploit vulnerabilities in the server software itself, could introduce misleading information in to the system's logs, or could fill the system's storage leading to a Denial of Service.

If the system is intended to be a log aggregation server its use must be documented with the Authorizing Official.


Modify the /etc/rsyslog.conf file to remove the ModLoad imudp, and ModLoad imrelp configuration lines, or document the system as being used for log aggregation.
Example: vim /etc/rsyslog.conf
Remove or comment out these following configuration lines:

#ModLoad imudp
#ModLoad imrelp


This Benchmark recommendation maps to:

Red Hat Enterprise Linux 7 Security Technical Implementation Guide:

Version 2, Release: 3 Benchmark Date: 26 Apr 2019

Vul ID: V-72211

Rule ID: SV-86835r2_rule

STIG ID: RHEL-07-031010

Severity: CAT II

See Also