4.1 Ensure that logging is enabled. - nodetool getlogginglevels

Information

Apache Cassandra uses Logback for logging functionality. While this can be set using nodetool setlogginglevel changes made using this method will be reverted to the level specified in the logback.xml file the next time the process restarts.

The configurable logging levels are:
OFF
TRACE
DEBUG
INFO (Default)
WARN
ERROR

Rationale:
If logging is not enabled, issues may go undiscovered, and compromises and other incidents may occur without being quickly detected. It may also not be possible to provide evidence of compliance with security laws, regulations, and other requirements.

Solution

To remediate this setting:
Edit the logback-test.xml if present; otherwise, edit the logback.xml
<configuration scan="true">
<appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
<filter class="ch.qos.logback.classic.filter.ThresholdFilter">
<level>INFO</level>
</filter>
<encoder>
<pattern>%-5level [%thread] %date{ISO8601} %F:%L - %msg%n</pattern>
</encoder>
</appender>

<root level="INFO">
<appender-ref ref="STDOUT" />
</root>

<logger name="org.cisecurity.workbench" level="WARN"/>
</configuration>
Restart the Apache Cassandra

Default Value:
INFO

References:
http://cassandra.apache.org/doc/latest/troubleshooting/reading_logs.html?highlight=logging
https://logback.qos.ch/manual/configuration.html

See Also

https://workbench.cisecurity.org/files/2309

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12, CSCv7|6.3

Plugin: Unix

Control ID: 1b0c256c762792916e86d8488e3bf0f0e5df8156d193a874d8779d1594850020