From 245d4e04318bcac20f15e680cf1b33a35b94067a Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Mon, 8 Aug 2022 14:34:34 +0200 Subject: [PATCH 1/3] add warning to the rsyslog_remote_loghost rule about configuring queues --- .../rsyslog_remote_loghost/rule.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml index 4ce56d2e6a5..c73d9ec95a6 100644 --- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml +++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml @@ -90,3 +90,20 @@ fixtext: |- *.* @@[remoteloggingserver]:[port]" srg_requirement: 'The {{{ full_name }}} audit records must be off-loaded onto a different system or storage media from the system being audited.' + +warnings: + - functionality: |- + It is important to configure queues in case the client is sending log + messages to a remote server. If queues are not configured, there is a + danger that the system will stop functioning in case that the connection + to the remote server is not available. Please consult Rsyslog + documentation for more information about configuration of queues. The + example configuration which should go into /etc/rsyslog.conf + can look like the following lines: +
+        $ActionQueueType LinkedList
+        $ActionQueueFileName somenameforprefix
+        $ActionQueueMaxDiskSpace 1g
+        $ActionQueueSaveOnShutdown on
+        $ActionResumeRetryCount -1
+        
From 10fbd1665513284fbb82cf1af96b92774301f8e5 Mon Sep 17 00:00:00 2001 From: vojtapolasek Date: Tue, 9 Aug 2022 09:41:00 +0200 Subject: [PATCH 2/3] Apply suggestions from code review Co-authored-by: Watson Yuuma Sato --- .../rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml index c73d9ec95a6..706d3265a08 100644 --- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml +++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml @@ -95,14 +95,14 @@ warnings: - functionality: |- It is important to configure queues in case the client is sending log messages to a remote server. If queues are not configured, there is a - danger that the system will stop functioning in case that the connection + the system will stop functioning when the connection to the remote server is not available. Please consult Rsyslog documentation for more information about configuration of queues. The example configuration which should go into /etc/rsyslog.conf can look like the following lines:
         $ActionQueueType LinkedList
-        $ActionQueueFileName somenameforprefix
+        $ActionQueueFileName queuefilename
         $ActionQueueMaxDiskSpace 1g
         $ActionQueueSaveOnShutdown on
         $ActionResumeRetryCount -1

From e2abf4f8a1bcc0dd02ad4af6f9575797abdd332e Mon Sep 17 00:00:00 2001
From: vojtapolasek 
Date: Tue, 9 Aug 2022 10:55:04 +0200
Subject: [PATCH 3/3] Update
 linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml

Co-authored-by: Watson Yuuma Sato 
---
 .../rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
index 706d3265a08..cce4d5cac1d 100644
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
@@ -94,7 +94,7 @@ srg_requirement: 'The {{{ full_name }}} audit records must be off-loaded onto a
 warnings:
     - functionality: |-
         It is important to configure queues in case the client is sending log
-        messages to a remote server. If queues are not configured, there is a
+        messages to a remote server. If queues are not configured,
         the system will stop functioning when the connection
         to the remote server is not available. Please consult Rsyslog
         documentation for more information about configuration of queues. The