4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The rsyslog utility supports the ability to send logs it gathers to a remote log host running syslogd(8) or to receive messages from remote hosts, reducing administrative overhead.

Note: Ensure that the selection of logfiles being sent follows local site policy

Rationale:

Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system

NOTE: Nessus detected that rsyslogd was listening on an open port and as a result has scanned this target as a rsyslog server.

Solution

Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and add one of the following lines:
Newer syntax:

<files to sent to the remote log server> action(type='omfwd' target='<FQDN or ip of loghost>' port='<port number>' protocol='tcp'
action.resumeRetryCount='<number of re-tries>'
queue.type='LinkedList' queue.size=<number of messages to queue>')

Example:

*.* action(type='omfwd' target='192.168.2.100' port='514' protocol='tcp'
action.resumeRetryCount='100'
queue.type='LinkedList' queue.size='1000')

Older syntax:

*.* @@<FQDN or ip of loghost>

Example:

*.* @@192.168.2.100

Run the following command to reload the rsyslog configuration:

# systemctl restart rsyslog

See Also

https://workbench.cisecurity.org/files/3395