RHEL-06-000136 - The operating system must back up audit records on an organization defined frequency onto a different system or media than the system being audited.

Information

A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise.

Solution

To configure rsyslog to send logs to a remote log server, open '/etc/rsyslog.conf' and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting '[loghost.example.com]' appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments.
To use UDP for log message delivery:

*.* @[loghost.example.com]


To use TCP for log message delivery:

*.* @@[loghost.example.com]


To use RELP for log message delivery:

*.* :omrelp:[loghost.example.com]

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_6_V2R2_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-9(2), CAT|II, CCI|CCI-001348, Rule-ID|SV-217941r603264_rule, STIG-ID|RHEL-06-000136, STIG-Legacy|SV-50321, STIG-Legacy|V-38520, Vuln-ID|V-217941

Plugin: Unix

Control ID: af0821015ad6c4ed03b78b5879e4c6cc20265ba0d4a75b44cf2e14f11a3a0ebe