# CIS Debian 13 Benchmark - Security Logging Configuration
# Implements CIS recommendations for enhanced security logging

# Enhanced authorization logging
auth,authpriv.*                    /var/log/security/auth.log
auth,authpriv.*                    @@remoteserver:514

# System logs with security tag
*.=info;*.=notice;*.=warn;\
        auth,authpriv.none;\
        cron,daemon.none;\
        mail,news.none          /var/log/security/messages

# Kernel messages
kern.*                             /var/log/security/kern.log

# Security events
security.*                         /var/log/security/security.log

# Audit events (from auditd)
audit.*                            /var/log/security/audit.log

# User login/logout logs
login.*                            /var/log/security/login.log

# Sudo commands
local2.*                           /var/log/security/sudo.log

# Failed logins
authpriv.*;auth.*                  /var/log/security/failed.log

# Application specific logs
mail.*                             -/var/log/security/mail.log
cron.*                             /var/log/security/cron.log
daemon.*                           /var/log/security/daemon.log

# Network logs
network.*                          /var/log/security/network.log

# Security alerts
*.alert                            /var/log/security/alerts.log
*.emerg                            :omusrmsg:*
*.=emerg                           :omusrmsg:*

# Console logging
*.=crit;*.=err;*.=warning          |/dev/xconsole

# Remote logging to security team (if configured)
# *.* @@logserver.domain.tld:514

# Filter duplicate messages
$RepeatedMsgReduction on

# Set default permissions for log files
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0027

# Ensure all logs include timestamp and hostname
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Rate limiting to prevent log flooding
$SystemLogRateLimitInterval 60
$SystemLogRateLimitBurst 1000

# Discard duplicate messages within 30 seconds
$RepeatedMsgReductionInterval 30

# Include additional configuration files
$IncludeConfig /etc/rsyslog.d/*.conf

# Preserve security log integrity
:msg, contains, "security"        /var/log/security/security.log
:msg, contains, "failed login"    /var/log/security/failed.log
:msg, contains, "sudo"            /var/log/security/sudo.log
:msg, contains, "audit"           /var/log/security/audit.log

# Create separate logs for different security domains
$RuleSet remote
:fromhost-ip, !isequal, "127.0.0.1"       ?RemoteLogs
& ~

# Enable journald to rsyslog forwarding
$ModLoad imjournal
$OmitLocalLogging on

# Preserve FQDN in logs
$PreserveFQDN on

# Add process ID to all log entries
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Ensure backward compatibility
$ModLoad compat

# Queue settings for reliability
$WorkDirectory /var/spool/rsyslog
$ActionQueueFileName fwdRule1
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount -1