Profile Applicability:
• Level 1
Description:
The systemd-journal-remote service allows a system to receive and store journal logs from remote machines, facilitating centralized logging. Enabling this service is essential when centralized log collection is part of the site’s logging policy.
Rationale:
Enabling systemd-journal-remote supports centralized audit logging, improving log aggregation, analysis, and compliance monitoring across multiple systems.
Impact:
Pros:
Facilitates centralized logging for better monitoring and incident response.
Simplifies management of logs from multiple hosts.
Cons:
Increases network and storage resource usage.
Requires secure configuration to prevent unauthorized log injection.
Default Value:
The systemd-journal-remote service is typically disabled by default.
Pre-requisites:
Root or sudo privileges to manage system services.
Remediation:
Test Plan:
Using Linux command line:
Check if the systemd-journal-remote service is enabled:
systemctl is-enabled systemd-journal-remote
Check if the service is active:
systemctl is-active systemd-journal-remote
Implementation Plan:
Using Linux command line:
Enable the systemd-journal-remote service:
systemctl enable systemd-journal-remote
Start the service:
systemctl start systemd-journal-remote
Verify the service status:
systemctl is-enabled systemd-journal-remote systemctl is-active systemd-journal-remote
Backout Plan:
Using Linux command line:
Disable the systemd-journal-remote service if necessary:
systemctl disable systemd-journal-remote
Stop the service:
systemctl stop systemd-journal-remote
Verify the service status.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
systemd-journal-remote Documentation
Systemd Service Management