Detections
Analytics

6.1.3.3 Ensure journald is configured to send logs to rsyslog

Information

Data from systemd-journald may be stored in volatile memory or persisted locally on the server. Utilities exist to accept remote export of systemd-journald logs, however, use of the rsyslog service provides a consistent means of log collection and export.

- IF - rsyslog is the preferred method for capturing logs, all logs of the system should be sent to it for further processing.

Note: This recommendation only applies if rsyslog is the chosen method for client side logging . Do not apply this recommendation if systemd-journald is used.

Solution

- IF - Journald is the preferred method for capturing logs, this section and Recommendation should be skipped and the "Configure Journald" section followed.

- IF - rsyslog is the preferred method for capturing logs:

Set the following parameter in the [Journal] section in /etc/systemd/journald.conf or a file in /etc/systemd/journald.conf.d/ ending in .conf :

ForwardToSyslog=yes

Example script to create systemd drop-in configuration file:

#!/usr/bin/env bash

{
 a_settings=("ForwardToSyslog=yes")
 [ ! -d /etc/systemd/journald.conf.d/ ] && mkdir /etc/systemd/journald.conf.d/
 if grep -Psq -- '^\h*\[Journal\]' /etc/systemd/journald.conf.d/60-journald.conf; then
 printf '%s\n' "" "${a_settings[@]}" >> /etc/systemd/journald.conf.d/60-journald.conf
 else
 printf '%s\n' "" "[Journal]" "${a_settings[@]}" >> /etc/systemd/journald.conf.d/60-journald.conf
 fi
}

Note: If this setting appears in a canonically later file, or later in the same file, the setting will be overwritten

Run to following command to update the parameters in the service:

Restart systemd-journald.service :

# systemctl reload-or-restart systemd-journald.service

See Also

https://workbench.cisecurity.org/benchmarks/18959

Item Details

Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AU-2, 800-53|AU-4, 800-53|AU-6(3), 800-53|AU-7, 800-53|AU-12, 800-53|MP-2, CSCv7|6.2, CSCv7|6.3, CSCv7|6.5

Plugin: Unix

Control ID: eecf6e901104f901f6badfbe1110045d630a048841c42efedbebf3fdd5bdad04