Ensure journald Is Configured to Send Logs to rsyslog : iCompaas Support

Profile Applicability:
• Level 1

Description:
Configuring journald to forward logs to rsyslog enables centralized log management and compatibility with traditional syslog-based monitoring tools.

Rationale:
Forwarding logs from journald to rsyslog ensures comprehensive log collection, facilitating security monitoring, alerting, and compliance.

Impact:
Pros:

Centralizes log management.
Improves compatibility with existing log analysis systems.

Cons:

May increase log processing overhead.

Default Value:
By default, forwarding may not be enabled and requires explicit configuration.

Pre-requisites:

Root or sudo privileges to modify systemd journal configuration files.

Remediation:

Test Plan:

Using Linux command line:

Check journald configuration in /etc/systemd/journald.conf for ForwardToSyslog:
```
grep ForwardToSyslog /etc/systemd/journald.conf
```
Verify if it is set to yes.

Implementation Plan:

Using Linux command line:

1. Edit /etc/systemd/journald.conf:

vi /etc/systemd/journald.conf

2. Set the following directive:

ForwardToSyslog=yes

3. Save the file and restart the systemd-journald service:

systemctl restart systemd-journald

4. Verify the setting:

grep ForwardToSyslog /etc/systemd/journald.conf

Backout Plan:

Using Linux command line:

Set ForwardToSyslog to no or comment out the line if needed.
Restart systemd-journald and verify logs are no longer forwarded.

References:

CIS Amazon Linux 2 Benchmark v3.0.0
systemd-journald Manual
rsyslog Documentation

Ensure journald Is Configured to Send Logs to rsyslog Print

Test Plan:

Implementation Plan:

Backout Plan:

Related Articles