← Rules Catalog
mediumloggingverified

Ensure rsyslog is configured to send logs to a remote log host

rsyslog-remote-forwarding · RHEL ≥ 8 · 1 impl

Description

rsyslog must be configured to forward logs to a central/remote log host so that log data survives compromise or loss of the originating system.

Rationale

Local-only logs can be tampered with or destroyed by an attacker who gains control of the host. Forwarding to a remote collector preserves an independent copy for detection and forensics.

Check → Remediate

Checkcommand
if ! rpm -q rsyslog >/dev/null 2>&1; then echo "FAIL: rsyslog not installed"; exit 1; fi
if grep -rhsE '(^[^#]*@@?[A-Za-z0-9._:-]+|action\s*\(\s*type\s*=\s*"omfwd")' \
     /etc/rsyslog.conf /etc/rsyslog.d/ 2>/dev/null | grep -q .; then
  echo "OK: rsyslog remote forwarding configured"; exit 0
fi
echo "FAIL: no remote log forwarding configured in rsyslog"; exit 1
expected_exit:
0
Remediatemanual
note:
Configure forwarding to the approved remote log host (for example an omfwd action or `*.* @@loghost:514`) in /etc/rsyslog.d/, then restart rsyslog.

Framework references

CIS

rhel9 6.2.3.6rhel8 6.2.2.6rhel10 6.2.3.6

NIST 800-53

AU-4(1)AU-9(2)

Live verification

rhel9:check
#rsyslog#logging#remote#forwarding