The Riverbed NetIM must off-load audit records onto a different system or media than the system being audited.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-275482	SRG-APP-000515-NDM-000325	RIIM-DM-000043	SV-275482r1147496_rule	2025-09-29	1

Description
Information stored in one location on a disk may be vulnerable to accidental or incidental deletion or alteration. The ability to off-load those files is a common process used while managing information systems.

ℹ️ Check
Verify auditing is configured to send events to a central log server by using the following command: $ sudo grep -i action(type="omfwd" target="<Syslog Server IP > " port="3514" protocol="tcp" action.resumeRetryCount="100" queue.type="linkedList" queue.size="10000") If auditing is configured to send events to a central log server, this is a finding.

✔️ Fix
Configure "rsyslog.d" service to send NetIM audit logs to central syslog. 1. Add or modify the following line in the "/etc/rsyslog.d" file: $ sudo nano /etc/rsyslog.d/60-netim.conf 2. Add the following text: . action(type="omfwd" target="<Syslog Server IP > " port="3514" protocol="tcp" action.resumeRetryCount="100" queue.type="linkedList" queue.size="10000") 3. Restart rsyslog service. $ sudo service rsyslog restart

✔️ Fix

Configure "rsyslog.d" service to send NetIM audit logs to central syslog. 1. Add or modify the following line in the "/etc/rsyslog.d" file: $ sudo nano /etc/rsyslog.d/60-netim.conf 2. Add the following text: *.* action(type="omfwd" target="<Syslog Server IP > " port="3514" protocol="tcp" action.resumeRetryCount="100" queue.type="linkedList" queue.size="10000") 3. Restart rsyslog service. $ sudo service rsyslog restart