Sun Ray server does not send logs to syslog server.

Part of Sun Ray server does not send logs to syslog server

Associated with IA controls: ECAR-3, ECAR-2, ECAR-1

SV-17386r1_rule Sun Ray server does not send logs to syslog server.

Vulnerability discussion

Remote logging is essential in monitoring servers and detecting intrusion. If an intruder is able to obtain root on a host, they may be able to edit the system logs to remove all traces of the attack. If the logs are stored off the machine, they can be analyzed for suspicious activity and used for prosecuting the attacker. Centralized log monitoring and storage is a critical component of incident response and assuring the integrity of system logs.

Check content

On the Sun Ray server, examine the /etc/syslog.conf file. To send all syslog data from the Sun Ray server to a remote syslog host, search for the following line(s) in the /etc/syslog.conf file: *.* @loghost (name of remote host) OR *.debug, info, …@loghost At a minimum, the following two log files must be configured to send their logs to a remote syslog server: Log Name Facility Level Default Location messages user.info /var/opt/SUNWut/log/messages admin_log local1.info /var/opt/SUNWut/log/admin_log Verify the loghost referred to in the syslog.conf file is not resolving to the localhost. Check /etc/hosts file to review what the remote host is referring to. If it is not in this file, check the DNS server to determine what it is resolving to. If it is resolving to localhost, this is a finding.

Fix text

Configure the Sun Ray server to send its logs to a remote syslog server.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.