{"description": "Ensure that exactly one logging system is active. Running both rsyslog and\nsystemd-journald simultaneously can lead to duplicate logging, resource\ncontention, and configuration conflicts. Running neither service means no\nlogging is occurring, which is also a violation.\n<pre>\nsystemctl is-active rsyslog systemd-journald\n</pre>\nThe command should return exactly one <tt>active</tt> service. Both services\nshould not be active at the same time, and at least one must be active.", "rationale": "Running multiple logging systems concurrently can cause conflicts, resource\ncontention, and inconsistent logging behavior. Systems should use either\nrsyslog or systemd-journald, but not both simultaneously. This ensures\npredictable logging behavior and prevents potential issues with log\nduplication or loss.", "severity": "medium", "references": {}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "both rsyslog and systemd-journald services are active, or neither service is active", "ocil": "To verify that exactly one logging system is active, run the following command:\n<pre>systemctl is-active rsyslog systemd-journald | grep -c active</pre>\nThe output should be exactly 1. If the output is 0, no logging is active.\nIf the output is 2, both logging systems are active simultaneously. Both\ncases are findings.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "This rule does not come with a remediation. The choice of logging\nsystem (rsyslog vs systemd-journald) is an architectural decision\nthat should be made based on organizational requirements. Use\nservice_rsyslog_enabled/disabled or service_systemd-journald_enabled\nrules to configure the desired logging system."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "machine", "platforms": ["machine"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["machine"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Ensure journald and rsyslog Are Not Active Together", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/logging/ensure_journald_and_rsyslog_not_active_together/rule.yml", "template": null}