# CIS Benchmark - Centralized Logging Configuration # Implements CIS Debian Benchmark Section 4.2 # ============================================================================ # Global Directives # ============================================================================ # Use RFC 5424 format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # Set file permissions $FileOwner root $FileGroup adm $FileCreateMode 0640 $DirCreateMode 0755 $Umask 0022 # Rate limiting to prevent log flooding $SystemLogRateLimitInterval 5 $SystemLogRateLimitBurst 500 # ============================================================================ # Modules # ============================================================================ # Load kernel module $ModLoad imklog # Load Mark module for periodic timestamps $ModLoad immark # Load UDP module for remote logging (disabled for security) # $ModLoad imudp # Load TCP module for remote logging (disabled for security) # $ModLoad imtcp # ============================================================================ # Log Destinations (Local Only - Remote Logging Disabled) # ============================================================================ # Kernel messages kern.* -/var/log/kern.log # Authentication logs (CIS 4.2.1) auth,authpriv.* -/var/log/auth.log # System mail mail.* -/var/log/mail.log # Cron logs cron.* -/var/log/cron.log # User messages *.=info;*.=notice;*.=warn -/var/log/messages # Emergency messages *.emerg :omusrmsg:* # ============================================================================ # Security-Specific Logging # ============================================================================ # Sudo command logging if $programname == 'sudo' then -/var/log/sudo.log & stop # Audit logging if $programname == 'auditd' then -/var/log/audit/audit.log & stop # Security events if $programname contains 'security' then -/var/log/security.log & stop # Network events if $programname contains 'network' then -/var/log/network.log & stop # WireGuard logs if $programname == 'wg-quick' or $programname == 'wireguard' then -/var/log/wireguard.log & stop # Firewall logs if $programname == 'iptables' then -/var/log/firewall.log & stop # ============================================================================ # Compliance Logging (CMMC/FedRAMP Requirements) # ============================================================================ # All administrative actions if $syslogseverity-text == 'info' and $msg contains 'user' then -/var/log/admin.log & stop # Failed access attempts if $msg contains 'failure' or $msg contains 'failed' or $msg contains 'denied' then -/var/log/access.log & stop # System changes if $msg contains 'changed' or $msg contains 'modified' then -/var/log/change.log & stop # ============================================================================ # Rate Limiting Per Facility # ============================================================================ # Rate limit syslog messages $Ruleset remote $ActionQueueType LinkedList $ActionQueueSize 100000 *.* :omusrmsg:* # ============================================================================ # Discard Messages # ============================================================================ # Discard debug messages *.=debug ~