NGINX must off-load audit records to a central log server.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| high | V-278396 | SRG-APP-000358 | NGNX-APP-001400 | SV-278396r1172699_rule | 2026-01-07 | 1 |
| Description |
|---|
| Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. Satisfies: SRG-APP-000358, SRG-APP-000125, SRG-APP-000515 |
| ℹ️ Check |
|---|
| Determine the path to NGINX config file(s): # nginx -qT | grep "# configuration" # configuration file /etc/nginx/nginx.conf: Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included. Verify that "syslog:server= prefix" is included in any log directive: # cat <path to config> Find the "error_log: or "access_log" directives and verify the syslog:server= prefix is included. If "error_log" or "access_log" exists and does not include "syslog:server=", this is a finding. |
| ✔️ Fix |
|---|
| Determine the path to NGINX config file(s): # nginx -qT | grep "# configuration" # configuration file /etc/nginx/nginx.conf: Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included. Include the "syslog:server= prefix" (which can be a domain name, an IP address, or a UNIX-domain socket path. A domain name or IP address can be specified with a port to override the default port, 514. A UNIX-domain socket path can be specified after the unix: prefix:) in any log directives and configure the optional parameters (facility, tag, severity). After saving the configuration, reload NGINX: # nginx -s reload |