4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The rsyslog utility supports the ability to send logs it gathers to a remote log host running syslogd(8) or to receive messages from remote hosts, reducing administrative overhead.

Rationale:

Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system

Solution

Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and add one of the following lines:
Newer syntax:

<files to sent to the remote log server> action(type='omfwd' target='<FQDN or ip of loghost>' port='<port number>' protocol='tcp'
action.resumeRetryCount='<number of re-tries>'
queue.type='linkList' queue.size=<number of messages to queue>')

Example:

*.* action(type='omfwd' target='192.168.2.100' port'514' protocol='tcp'
action.resumeRetryCount='100'
queue.type='linkList' queue.size='1000')

Older syntax:

*.* @@<FQDN or ip of loghost>

Example:

*.* @@192.168.2.100

Run the following command to reload the rsyslog configuration:

# systemctl reload rsyslog

References:

See the rsyslog.conf(5) man page for more information.

Notes:

The double 'at' sign (@@) directs rsyslogto use TCP to send log messages to the server, which is a more reliable transport mechanism than the default UDP protocol.

*.* sends all logs to the remote loghost. Ensure that the selection of logfiles being sent follows local site policy

See Also

https://workbench.cisecurity.org/files/2658