Skip to content

6.1.1.4 Ensure only one logging system is in use

Audit#

Run the following script to ensure only one logging system is in use: 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
#!/usr/bin/env bash
{
l_output="" l_output2="" # Check the status of rsyslog and journald
if systemctl is-active --quiet rsyslog; then
l_output="$l_output\n - rsyslog is in use\n- follow the recommendations in Configure rsyslog subsection only"
elif systemctl is-active --quiet systemd-journald; then
l_output="$l_output\n - journald is in use\n- follow the recommendations in Configure journald subsection only"
else
echo -e “unable to determine system logging”
l_output2="$l_output2\n - unable to determine system logging\n-Configure only ONE system logging: rsyslog OR journald"
fi
if [ -z "$l_output2" ]; then # Provide audit results
echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n"
else
echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2"
fi
}

Remediation#

  1. Determine whether to use journald - OR - rsyslog depending on site needs
  2. Configure systemd-jounald.service
  3. Configure only ONE either journald - OR - rsyslog and complete the recommendations in that subsection
  4. Return to this recommendation to ensure only one logging system is in use