ColdFusion must be configured to support integration with a third-party Security Information and Event Management (SIEM) to support notifications.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-279070	SRG-APP-000231-AS-000156	APAS-CF-000490	SV-279070r1172833_rule	2025-12-19	1

Description
ColdFusion must be capable of integrating with a third-party SIEM solution to provide centralized log collection, event correlation, and real-time alerting. Without integration into a SIEM, audit records generated by ColdFusion may remain isolated on the local system, limiting visibility and hindering the ability of security personnel to detect, investigate, and respond to suspicious activity or system misconfigurations. Timely notifications of security-relevant events are critical for incident response and continuous monitoring. If ColdFusion is not configured to transmit these logs or events to an external monitoring platform, malicious activity may go undetected until after significant damage has occurred. SIEM integration also supports compliance with audit and accountability requirements by ensuring audit data is retained in a secure, tamper-evident location outside the local ColdFusion instance. In the event of system compromise, this external logging provides a reliable forensic trail and helps validate system integrity. Satisfies: SRG-APP-000231-AS-000156, SRG-APP-000108-AS-000067, SRG-APP-000125-AS-000084, SRG-APP-000126-AS-000085, SRG-APP-000181-AS-000255, SRG-APP-000290-AS-000174, SRG-APP-000358-AS-000064, SRG-APP-000360-AS-000066, SRG-APP-000515-AS-000203, SRG-APP-000795-AS-000130

Description

ColdFusion must be capable of integrating with a third-party SIEM solution to provide centralized log collection, event correlation, and real-time alerting. Without integration into a SIEM, audit records generated by ColdFusion may remain isolated on the local system, limiting visibility and hindering the ability of security personnel to detect, investigate, and respond to suspicious activity or system misconfigurations. Timely notifications of security-relevant events are critical for incident response and continuous monitoring. If ColdFusion is not configured to transmit these logs or events to an external monitoring platform, malicious activity may go undetected until after significant damage has occurred. SIEM integration also supports compliance with audit and accountability requirements by ensuring audit data is retained in a secure, tamper-evident location outside the local ColdFusion instance. In the event of system compromise, this external logging provides a reliable forensic trail and helps validate system integrity. Satisfies: SRG-APP-000231-AS-000156, SRG-APP-000108-AS-000067, SRG-APP-000125-AS-000084, SRG-APP-000126-AS-000085, SRG-APP-000181-AS-000255, SRG-APP-000290-AS-000174, SRG-APP-000358-AS-000064, SRG-APP-000360-AS-000066, SRG-APP-000515-AS-000203, SRG-APP-000795-AS-000130

ℹ️ Check
Verify SIEM. 1. On the host server, for each of the ColdFusion instances installed, verify /etc/rsyslog.d/101-<instance name>.conf exists and contains the following contents: module(load="imfile" PollingInterval="10") input(type="imfile" File="<CF install path>/<instance name>/logs/coldfusion-out.log" Tag="coldfusion-out" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/coldfusion-error.log" Tag="coldfusion-error" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/cfpm-audit.log" Tag="cfpm-audit" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/audit.log" Tag="audit" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/http.log" Tag="http" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/mail.log" Tag="mail" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/monitor.log" Tag="monitor" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/server.log" Tag="server" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/usagedata.log" Tag="usagedata" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/update.log" Tag="update" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/application.log" Tag="application" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/exception.log" Tag="exception" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/reporting.log" Tag="reporting" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/axis2.log" Tag="axis2" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/eventgateway.log" Tag="eventgateway" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/license.log" Tag="license" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/security.log" Tag="security" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/webservice.log" Tag="webservice" Facility="<instance name>") If the file contents do not monitor all logs in <CF install path>/<instance name>/logs, this is a finding. 2. Inspect /etc/rsyslog.conf or the files in /etc/rsyslog.d/. If there is no forwarding action with type="omfwd", the rsyslog destination is not configured to send logs to a valid syslog server and this is a finding. For additional information, refer to https://www.rsyslog.com/sending-messages-to-a-remote-syslog-server/.

ℹ️ Check

Verify SIEM. 1. On the host server, for each of the ColdFusion instances installed, verify /etc/rsyslog.d/101-<instance name>.conf exists and contains the following contents: module(load="imfile" PollingInterval="10") input(type="imfile" File="<CF install path>/<instance name>/logs/coldfusion-out.log" Tag="coldfusion-out" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/coldfusion-error.log" Tag="coldfusion-error" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/cfpm-audit.log" Tag="cfpm-audit" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/audit.log" Tag="audit" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/http.log" Tag="http" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/mail.log" Tag="mail" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/monitor.log" Tag="monitor" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/server.log" Tag="server" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/usagedata.log" Tag="usagedata" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/update.log" Tag="update" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/application.log" Tag="application" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/exception.log" Tag="exception" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/reporting.log" Tag="reporting" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/axis2.log" Tag="axis2" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/eventgateway.log" Tag="eventgateway" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/license.log" Tag="license" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/security.log" Tag="security" Facility="<instance name>") input(type="imfile" File="<CF install path>/<instance name>/logs/webservice.log" Tag="webservice" Facility="<instance name>") If the file contents do not monitor all logs in <CF install path>/<instance name>/logs, this is a finding. 2. Inspect /etc/rsyslog.conf or the files in /etc/rsyslog.d/. If there is no forwarding action with type="omfwd", the rsyslog destination is not configured to send logs to a valid syslog server and this is a finding. For additional information, refer to https://www.rsyslog.com/sending-messages-to-a-remote-syslog-server/.

✔️ Fix
Configure SIEM. 1. Create /etc/rsyslog.d/101-<instance name>.conf for each of the configured ColdFusion instances with these contents, ensuring the final line points to a valid syslog server. Example: module(load="imfile" PollingInterval="10") cat > /etc/rsyslog.d/101-cfusion.conf << EOF module(load="imfile" PollingInterval="10") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/coldfusion-out.log" Tag="coldfusion-out" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/coldfusion-error.log" Tag="coldfusion-error" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/cfpm-audit.log" Tag="cfpm-audit" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/audit.log" Tag="audit" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/http.log" Tag="http" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/mail.log" Tag="mail" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/monitor.log" Tag="monitor" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/server.log" Tag="server" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/usagedata.log" Tag="usagedata" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/update.log" Tag="update" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/application.log" Tag="application" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/exception.log" Tag="exception" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/reporting.log" Tag="reporting" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/axis2.log" Tag="axis2" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/eventgateway.log" Tag="eventgateway" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/license.log" Tag="license" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/security.log" Tag="security" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/webservice.log" Tag="webservice" Facility="cfusion") 2. Add the following to /etc/rsyslog.conf: . action(type="omfwd" target="<remote rsyslog IP address>" port="10514" protocol="tcp") 3. Restart rsyslog to apply changes: sudo systemctl restart rsyslog.

✔️ Fix

Configure SIEM. 1. Create /etc/rsyslog.d/101-<instance name>.conf for each of the configured ColdFusion instances with these contents, ensuring the final line points to a valid syslog server. Example: module(load="imfile" PollingInterval="10") cat > /etc/rsyslog.d/101-cfusion.conf << EOF module(load="imfile" PollingInterval="10") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/coldfusion-out.log" Tag="coldfusion-out" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/coldfusion-error.log" Tag="coldfusion-error" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/cfpm-audit.log" Tag="cfpm-audit" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/audit.log" Tag="audit" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/http.log" Tag="http" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/mail.log" Tag="mail" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/monitor.log" Tag="monitor" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/server.log" Tag="server" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/usagedata.log" Tag="usagedata" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/update.log" Tag="update" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/application.log" Tag="application" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/exception.log" Tag="exception" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/reporting.log" Tag="reporting" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/axis2.log" Tag="axis2" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/eventgateway.log" Tag="eventgateway" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/license.log" Tag="license" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/security.log" Tag="security" Facility="cfusion") input(type="imfile" File="/opt/coldfusion2023/cfusion/logs/webservice.log" Tag="webservice" Facility="cfusion") 2. Add the following to /etc/rsyslog.conf: *.* action(type="omfwd" target="<remote rsyslog IP address>" port="10514" protocol="tcp") 3. Restart rsyslog to apply changes: sudo systemctl restart rsyslog.