Ensure Logs Sent To Remote Host

Docs > Datadog Security > OOTB Rules > Ensure Logs Sent To Remote Host

Classification:

compliance

Framework:

Control:

Description

To configure rsyslog to send logs to a remote log server, open /etc/rsyslog.conf and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments.

To use UDP for log message delivery:

*.* @

To use TCP for log message delivery:

*.* @@

To use RELP for log message delivery:

*.* :omrelp:

There must be a resolvable DNS CNAME or Alias record set to "" for logs to be sent correctly to the centralized logging utility.

Rationale

A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

rsyslog\_remote\_loghost\_address=''


# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped\_key=$(sed 's/[\^=\$,;+]\*//g' <<< "^\\*\.\\*")

# shellcheck disable=SC2059
printf -v formatted\_output "%s %s" "$stripped\_key" "@@$rsyslog\_remote\_loghost\_address"

# If the key exists, change it. Otherwise, add it to the config\_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC\_ALL=C grep -q -m 1 -i -e "^\\*\.\\*\\>" "/etc/rsyslog.conf"; then
 escaped\_formatted\_output=$(sed -e 's|/|\\/|g' <<< "$formatted\_output")
 LC\_ALL=C sed -i --follow-symlinks "s/^\\*\.\\*\\>.\*/$escaped\_formatted\_output/gi" "/etc/rsyslog.conf"
else
 if [[ -s "/etc/rsyslog.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/rsyslog.conf" || true)" ]]; then
 LC\_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/rsyslog.conf"
 fi
 printf '%s\n' "$formatted\_output" >> "/etc/rsyslog.conf"
fi

else
 >&2 echo 'Remediation is not applicable, nothing was done'
fi

Warning

It is important to configure queues in case the client is sending log messages to a remote server. If queues are not configured, the system will stop functioning when the connection to the remote server is not available. Please consult Rsyslog documentation for more information about configuration of queues. The example configuration which should go into /etc/rsyslog.conf can look like the following lines:


$ActionQueueType LinkedList
$ActionQueueFileName queuefilename
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionResumeRetryCount -1