4.3 (L1) Host must log sufficient information for events

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Set the Syslog.global.logLevel parameter to "info" to ensure that audit logs capture sufficient information for diagnosing issues and investigating security events. This setting strikes a balance between log verbosity and storage utilization. The parameter governing this behavior is Syslog.global.logLevel with a recommended setting of info.

Adequate log data is crucial for identifying indicators of compromise, enabling timely and effective response to cybersecurity incidents. The "info" level provides essential details without excessively consuming storage resources.

Solution

Impact:

More verbose logging levels will demand additional storage space while potentially burying critical entries under less significant data. Conversely, less verbose levels might miss capturing crucial information, hindering effective diagnostics and incident response.

See Also

https://workbench.cisecurity.org/benchmarks/15784