{"description": "If system logs are to be useful in detecting malicious\nactivities, it is necessary to send logs to a remote server. An\nintruder who has compromised the root account on a system may\ndelete the log entries which indicate that the system was attacked\nbefore they are seen by an administrator.\n<br /><br />\nHowever, it is recommended that logs be stored on the local\nhost in addition to being sent to the loghost, especially if\n<tt>rsyslog</tt> has been configured to use the UDP protocol to send\nmessages over a network. UDP does not guarantee reliable delivery,\nand moderately busy sites will lose log messages occasionally,\nespecially in periods of high traffic which may be the result of an\nattack. In addition, remote <tt>rsyslog</tt> messages are not\nauthenticated in any way by default, so it is easy for an attacker to\nintroduce spurious messages to the central log server. Also, some\nproblems cause loss of network connectivity, which will prevent the\nsending of messages to the central server. For all of these reasons, it is\nbetter to store log messages both centrally and on each host, so\nthat they can be correlated if necessary.", "warnings": [], "requires": [], "conflicts": [], "values": ["rsyslog_remote_loghost_address"], "groups": {}, "rules": ["rsyslog_remote_loghost", "rsyslog_remote_tls", "rsyslog_remote_tls_cacert"], "platform": "", "platforms": [], "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "title": "Rsyslog Logs Sent To Remote Host", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/logging/rsyslog_sending_messages/group.yml"}