Skip to content

4.2.2.6 Ensure rsyslog is configured to send logs to a remote log host

Audit#

Review the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and verify that logs are sent to a central host (where loghost.example.com is the name of your central log host):

Old format 

# grep "^*.*[^I][^I]*@" /etc/rsyslog.conf /etc/rsyslog.d/*.conf

Output should include @@, for example 

*.* @@loghost.example.com

New format 

# grep -E '^\s*([^#]+\s+)?action\(([^#]+\s+)?\btarget=\"?[^#"]+\"?\b' /etc/rsyslog.conf /etc/rsyslog.d/*.conf

Output should include target=, for example: 

*.* action(type="omfwd" target="loghost.example.com" port="514" protocol="tcp"

Remediation#

Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and add the following line (where loghost.example.com is the name of your central log host). The target directive may either be a fully qualified domain name or an IP address. 

*.* action(type="omfwd" target="192.168.2.100" port="514" protocol="tcp"
 action.resumeRetryCount="100"
 queue.type="LinkedList" queue.size="1000")

Run the following command to reload the rsyslogd configuration: 

# systemctl restart rsyslog