Profile Applicability:
• Level 1
Description:
The systemd-journal-remote service allows a system to receive and process logs forwarded from remote systems using the systemd journal protocol. Proper configuration enables centralized log collection for enhanced monitoring and forensic analysis.
Rationale:
Centralized logging with systemd-journal-remote improves log integrity, availability, and supports comprehensive security monitoring across distributed systems.
Impact:
Pros:
Facilitates centralized log collection and analysis.
Enhances security monitoring and incident response.
Cons:
Requires network and service configuration.
Potentially increases resource usage on the receiving system.
Default Value:
systemd-journal-remote is typically not enabled or configured by default.
Pre-requisites:
Root or sudo privileges to install and configure the service.
Network access for receiving logs.
Remediation:
Test Plan:
Using Linux command line:
Verify if systemd-journal-remote service is installed:
systemctl status systemd-journal-remote
Check configuration files (e.g., /etc/systemd/journal-remote.conf) for proper setup.
Implementation Plan:
Using Linux command line:
Install the package if not present:
On RPM-based systems:
yum install systemd-journal-remote -y
On Debian-based systems:
apt-get install systemd-journal-remote -y
Enable and start the service:
systemctl enable systemd-journal-remote systemctl start systemd-journal-remote
Configure /etc/systemd/journal-remote.conf as required, e.g., setting listen address and storage options.
Restart the service after configuration changes:
systemctl restart systemd-journal-remote
Verify the service is active and logs are being received.
Backout Plan:
Using Linux command line:
Disable and stop the service if necessary:
systemctl disable systemd-journal-remote
systemctl stop systemd-journal-remoteRemove or revert configuration changes.
Confirm service is inactive.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
systemd-journal-remote Documentation