Skip to content

6.1.3.5 Ensure rsyslog logging is configured

Audit#

Review the contents of /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files to ensure appropriate logging is set. In addition, run the following command and verify that the log files are logging information as expected:
Run the following script and review the output from the rsyslog configuration to ensure appropriate logging is set an in accordance with local site policy. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
#!/usr/bin/env bash
{
l_analyze_cmd="$(readlink -f /bin/systemd-analyze)"
l_include='\$IncludeConfig' a_config_files=("/etc/rsyslog.conf")
while IFS= read -r l_file; do
l_conf_loc="$(awk '$1~/^\s*'"$l_include"'$/ {print $2}' "$(tr -d '# ' <<< "$l_file")" | tail -n 1)"
[ -n "$l_conf_loc" ] && break
done < <($l_analyze_cmd cat-config "${a_config_files[@]}" | tac | grep -Pio '^\h*#\h*\/[^#\n\r\h]+\.conf\b')
if [ -d "$l_conf_loc" ]; then
l_dir="$l_conf_loc" l_ext="*"
elif grep -Psq '\/\*\.([^#/\n\r]+)?\h*$' <<< "$l_conf_loc" || [ -f "$(readlink -f "$l_conf_loc")" ]; then
l_dir="$(dirname "$l_conf_loc")" l_ext="$(basename "$l_conf_loc")"
fi
while read -r -d $'\0' l_file_name; do
[ -f "$(readlink -f "$l_file_name")" ] && a_config_files+=("$(readlink -f "$l_file_name")")
done < <(find -L "$l_dir" -type f -name "$l_ext" -print0 2>/dev/null)
for l_logfile in "${a_config_files[@]}"; do
grep -PHs -- '^\h*[^#\n\r\/:]+\/var\/log\/.*$' "$l_logfile"
done
}
Example output: 
/etc/rsyslog.d/60-rsyslog.conf:auth,authpriv.*      /var/log/secure
/etc/rsyslog.d/60-rsyslog.conf:mail.*           -/var/log/mail
/etc/rsyslog.d/60-rsyslog.conf:mail.info        -/var/log/mail.info
/etc/rsyslog.d/60-rsyslog.conf:mail.warning     -/var/log/mail.warn
/etc/rsyslog.d/60-rsyslog.conf:mail.err         /var/log/mail.err
/etc/rsyslog.d/60-rsyslog.conf:cron.*           /var/log/cron
/etc/rsyslog.d/60-rsyslog.conf:*.=warning;*.=err    -/var/log/warn
/etc/rsyslog.d/60-rsyslog.conf:*.crit           /var/log/warn
/etc/rsyslog.d/60-rsyslog.conf:*.*;mail.none;news.none  -/var/log/messages
/etc/rsyslog.d/60-rsyslog.conf:local0,local1.*      -/var/log/localmessages
/etc/rsyslog.d/60-rsyslog.conf:local2,local3.*      -/var/log/localmessages
/etc/rsyslog.d/60-rsyslog.conf:local4,local5.*      -/var/log/localmessages
/etc/rsyslog.d/60-rsyslog.conf:local6,local7.*      -/var/log/localmessages
/etc/rsyslog.d/50-default.conf:auth,authpriv.*      /var/log/auth.log #<- Will be ignored
/etc/rsyslog.d/50-default.conf:*.*;auth,authpriv.none   -/var/log/syslog
/etc/rsyslog.d/50-default.conf:kern.*           -/var/log/kern.log
/etc/rsyslog.d/50-default.conf:mail.*           -/var/log/mail.log #<- Will be ignored
/etc/rsyslog.d/50-default.conf:mail.err         /var/log/mail.err #<- Will be ignored

Note:

  • Output is generated as \<CONFIGURATION_FILE>:<PARAMETER>
  • Files are listed in order of precedence. If the same parameter is listed multiple times, only the first occurrence will be used be the rsyslog daemon

Remediation#

Edit the following lines in the configuration file(s) returned by the audit as appropriate for your environment.
Note: The below configuration is shown for example purposes only. Due care should be given to how the organization wishes to store log data. 

*.emerg         :omusrmsg:*
auth,authpriv.*     /var/log/secure
mail.*          -/var/log/mail
mail.info       -/var/log/mail.info
mail.warning        -/var/log/mail.warn
mail.err        /var/log/mail.err
cron.*          /var/log/cron
*.=warning;*.=err   -/var/log/warn
*.crit          /var/log/warn
*.*;mail.none;news.none -/var/log/messages
local0,local1.*     -/var/log/localmessages
local2,local3.*     -/var/log/localmessages
local4,local5.*     -/var/log/localmessages
local6,local7.*     -/var/log/localmessages

Run the following command to reload the rsyslogd configuration: 

# systemctl reload-or-restart rsyslog