Skip to content

4.2.2.7 Ensure rsyslog is not configured to receive logs from a remote client

Audit#

Review the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and verify that the system is not configured to accept incoming logs.

Old format 

# grep '$ModLoad imtcp' /etc/rsyslog.conf /etc/rsyslog.d/*.conf
# grep '$InputTCPServerRun' /etc/rsyslog.conf /etc/rsyslog.d/*.conf

No output expected.

New format 

# grep -P -- '^\h*module\(load="imtcp"\)' /etc/rsyslog.conf /etc/rsyslog.d/*.conf
# grep -P -- '^\h*input\(type="imtcp" port="514"\)' /etc/rsyslog.conf /etc/rsyslog.d/*.conf

No output expected.

Remediation#

Should there be any active log server configuration found in the auditing section, modify those file and remove the specific lines highlighted by the audit. Ensure none of the following entries are present in any of /etc/rsyslog.conf or /etc/rsyslog.d/*.conf.

Old format 

$ModLoad imtcp
$InputTCPServerRun

New format 

module(load="imtcp")
input(type="imtcp" port="514")

Restart the service: 

# systemctl restart rsyslog