8.2 Collect Audit Logs
Configure rsyslog
IG1
IG2
IG3
Level 1
Logging and Auditing
M1029
Manual
Server
System Logging
T1070
T1070.002
T1562
T1562.006
TA0040
Workstation
6.1.3.6 Ensure rsyslog is configured to send logs to a remote log host
Audit
Run the following script and review the output of rsyslog configuration. Verify that logs are sent to a central host used by your organization: basic format
basic format
#!/usr/bin/env bash
{
l_analyze_cmd = " $( readlink -f /bin/systemd-analyze) "
l_include = '\$IncludeConfig' a_config_files =( "/etc/rsyslog.conf" )
while IFS = read -r l_file; do
l_conf_loc = " $( awk '$1~/^\s*' " $l_include " '$/ {print $2}' " $( tr -d '# ' <<< " $l_file " ) " | tail -n 1 ) "
[ -n " $l_conf_loc " ] && break
done < <( $l_analyze_cmd cat-config " ${ a_config_files [@] } " | tac | grep -Pio '^\h*#\h*\/[^#\n\r\h]+\.conf\b' )
if [ -d " $l_conf_loc " ] ; then
l_dir = " $l_conf_loc " l_ext = "*"
elif grep -Psq '\/\*\.([^#/\n\r]+)?\h*$' <<< " $l_conf_loc " || [ -f " $( readlink -f " $l_conf_loc " ) " ] ; then
l_dir = " $( dirname " $l_conf_loc " ) " l_ext = " $( basename " $l_conf_loc " ) "
fi
while read -r -d $'\0' l_file_name; do
[ -f " $( readlink -f " $l_file_name " ) " ] && a_config_files +=( " $( readlink -f " $l_file_name " ) " )
done < <( find -L " $l_dir " -type f -name " $l_ext " -print0 2 >/dev/null)
for l_logfile in " ${ a_config_files [@] } " ; do
-Hs -- "^*.*[^I][^I]*@" " $l_logfile "
done
}
Output should include **@@
Example output:
@@loghost.example.com
- OR -
Run the following script and review the output of rsyslog configuration. Verify that logs are sent to a central host used by your organization:
advanced format :
#!/usr/bin/env bash
{
l_analyze_cmd = " $( readlink -f /bin/systemd-analyze) "
l_include = '\$IncludeConfig' a_config_files =( "/etc/rsyslog.conf" )
while IFS = read -r l_file; do
l_conf_loc = " $( awk '$1~/^\s*' " $l_include " '$/ {print $2}' " $( tr -d '# ' <<< " $l_file " ) " | tail -n 1 ) "
[ -n " $l_conf_loc " ] && break
done < <( $l_analyze_cmd cat-config " ${ a_config_files [@] } " | tac | grep -Pio '^\h*#\h*\/[^#\n\r\h]+\.conf\b' )
if [ -d " $l_conf_loc " ] ; then
l_dir = " $l_conf_loc " l_ext = "*"
elif grep -Psq '\/\*\.([^#/\n\r]+)?\h*$' <<< " $l_conf_loc " || [ -f " $( readlink -f " $l_conf_loc " ) " ] ; then
l_dir = " $( dirname " $l_conf_loc " ) " l_ext = " $( basename " $l_conf_loc " ) "
fi
while read -r -d $'\0' l_file_name; do
[ -f " $( readlink -f " $l_file_name " ) " ] && a_config_files +=( " $( readlink -f " $l_file_name " ) " )
done < <( find -L " $l_dir " -type f -name " $l_ext " -print0 2 >/dev/null)
for l_logfile in " ${ a_config_files [@] } " ; do
-PHsi --'^\s*([^#]+\s+)?action\(([^#]+\s+)?\btarget=\"?[^#"]+\"?\b' " $l_logfile "
done
}
Output should include target=
Example output:
action( type = "omfwd" target = "loghost.example.com" port = "514" protocol = "tcp"
Edit the rsyslog configuration and add the following line (where loghost.example.com is the name of your central log host). The target directive may either be a fully qualified domain name or an IP address.
Example script to create a drop-in configuration file:
#!/usr/bin/env bash
{
a_parameters =( '*.* action(type="omfwd" target="loghost.example.com" port="514" protocol="tcp"' \' action.resumeRetryCount= "100" ' '
= "LinkedList" queue.size= "1000" ) ')
[ ! -d "/etc/rsyslog.d/" ] && mkdir /etc/rsyslod.d/
printf ' %s\n ' "" " ${ a_parameters [@] } " >> /etc/rsyslog.d/60-rsyslog.conf
}
Run the following command to reload rsyslog.service :
# systemctl reload-or-restart rsyslog.service