Profile Applicability:
• Level 1
Description:
Configuring rsyslog to forward logs to a remote log host centralizes log collection, enabling enhanced security monitoring, correlation, and incident response across multiple systems.
Rationale:
Centralized logging helps prevent tampering with local logs, improves log availability, and facilitates comprehensive analysis in security operations.
Impact:
Pros:
Enhanced log integrity and availability.
Supports centralized security monitoring and compliance.
Cons:
Network dependency may affect log transmission.
Requires secure communication to prevent interception.
Default Value:
By default, rsyslog may not be configured to send logs remotely.
Root or sudo privileges to modify rsyslog configuration.
Access to a remote log host and network connectivity.
Remediation:
Test Plan:
Using Linux command line:
Check rsyslog configuration files for remote forwarding directives, such as *.* @@remote-host:
grep -i '@@' /etc/rsyslog.conf /etc/rsyslog.d/*
Verify the remote host address and protocol (TCP/UDP).
Implementation Plan:
Using Linux command line:
Edit /etc/rsyslog.conf or create a new file in /etc/rsyslog.d/ to add forwarding rules, for example:
*.* @@logs.example.com:514
Use @@ for TCP, @ for UDP.
Restart rsyslog to apply changes:
systemctl restart rsyslog
Verify logs are being sent to the remote host.
Backout Plan:
Using Linux command line:
Remove or comment out the remote forwarding configuration.
Restart rsyslog and verify local logging resumes.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
rsyslog Remote Logging
Systemd Journal Remote