mediumloggingverified ✓
Ensure rsyslog is configured to send logs to a remote log host
rsyslog-remote-forwarding · RHEL ≥ 8 · 1 impl
Description
rsyslog must be configured to forward logs to a central/remote log host so that log data survives compromise or loss of the originating system.
Rationale
Local-only logs can be tampered with or destroyed by an attacker who gains control of the host. Forwarding to a remote collector preserves an independent copy for detection and forensics.
Check → Remediate
Checkcommand
if ! rpm -q rsyslog >/dev/null 2>&1; then echo "FAIL: rsyslog not installed"; exit 1; fi
if grep -rhsE '(^[^#]*@@?[A-Za-z0-9._:-]+|action\s*\(\s*type\s*=\s*"omfwd")' \
/etc/rsyslog.conf /etc/rsyslog.d/ 2>/dev/null | grep -q .; then
echo "OK: rsyslog remote forwarding configured"; exit 0
fi
echo "FAIL: no remote log forwarding configured in rsyslog"; exit 1
- expected_exit:
- 0
Remediatemanual
- note:
- Configure forwarding to the approved remote log host (for example an omfwd action or `*.* @@loghost:514`) in /etc/rsyslog.d/, then restart rsyslog.
Framework references
CIS
rhel9 6.2.3.6rhel8 6.2.2.6rhel10 6.2.3.6
NIST 800-53
AU-4(1)AU-9(2)
Live verification
rhel9:check
#rsyslog#logging#remote#forwarding