Xylok Security Suite must use a central log server for auditing records.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-269586	SRG-APP-000745	XYLK-20-000291	SV-269586r1155158_rule	2025-12-04	1

Description
Integrating a central log server for managing audit records within the Xylok Security Suite enhances security monitoring, incident response, and compliance efforts. By providing centralized logging, real-time analysis, and automated alerting, a central log server allows Xylok to maintain a robust security posture and effectively respond to potential threats, ultimately contributing to the organization's overall security strategy. Satisfies: SRG-APP-000745, SRG-APP-000115, SRG-APP-000125, SRG-APP-000181, SRG-APP-000358, SRG-APP-000362, SRG-APP-000363, SRG-APP-000364, SRG-APP-000365, SRG-APP-000366, SRG-APP-000367, SRG-APP-000368, SRG-APP-000369, SRG-APP-000370, SRG-APP-000376, SRG-APP-000750, SRG-APP-000755, SRG-APP-000760, SRG-APP-000765, SRG-APP-000770, SRG-APP-000775, SRG-APP-000780, SRG-APP-000785, SRG-APP-000790, SRG-APP-000795, SRG-APP-000800, SRG-APP-000805, SRG-APP-000515

Description

Integrating a central log server for managing audit records within the Xylok Security Suite enhances security monitoring, incident response, and compliance efforts. By providing centralized logging, real-time analysis, and automated alerting, a central log server allows Xylok to maintain a robust security posture and effectively respond to potential threats, ultimately contributing to the organization's overall security strategy. Satisfies: SRG-APP-000745, SRG-APP-000115, SRG-APP-000125, SRG-APP-000181, SRG-APP-000358, SRG-APP-000362, SRG-APP-000363, SRG-APP-000364, SRG-APP-000365, SRG-APP-000366, SRG-APP-000367, SRG-APP-000368, SRG-APP-000369, SRG-APP-000370, SRG-APP-000376, SRG-APP-000750, SRG-APP-000755, SRG-APP-000760, SRG-APP-000765, SRG-APP-000770, SRG-APP-000775, SRG-APP-000780, SRG-APP-000785, SRG-APP-000790, SRG-APP-000795, SRG-APP-000800, SRG-APP-000805, SRG-APP-000515

ℹ️ Check
Verify that journald sends logs to rsyslog: # grep ForwardToSyslog /etc/systemd/journald.conf ForwardToSyslog=yes If ForwardToSyslog is commented out or not set to "yes," this is a finding. Verify that rsyslog is set to receive journald logs: # grep '\(imuxsock\\|imjournal\)' /etc/rsyslog.conf /etc/rsyslog.d/* module(load="imuxsock") # provides support for local system logging module(load="imjournal") # provides access to the systemd journal If either module is not present or disabled, this is a finding. # grep '[[:space:]]@.' /etc/rsyslog.conf /etc/rsyslog.d/ . @@yoursiem:1234 If rsyslog is not configured to forward logs to a central SIEM server, this is a finding.

ℹ️ Check

Verify that journald sends logs to rsyslog: # grep ForwardToSyslog /etc/systemd/journald.conf ForwardToSyslog=yes If ForwardToSyslog is commented out or not set to "yes," this is a finding. Verify that rsyslog is set to receive journald logs: # grep '\(imuxsock\|imjournal\)' /etc/rsyslog.conf /etc/rsyslog.d/* module(load="imuxsock") # provides support for local system logging module(load="imjournal") # provides access to the systemd journal If either module is not present or disabled, this is a finding. # grep '[[:space:]]@.*' /etc/rsyslog.conf /etc/rsyslog.d/* *.* @@yoursiem:1234 If rsyslog is not configured to forward logs to a central SIEM server, this is a finding.

✔️ Fix
Edit /etc/systemd/journald.conf to include at least these lines: [Journal] ForwardToSyslog=yes Edit /etc/rsyslog.conf to include these lines: module(load="imuxsock") # provides support for local system logging module(load="imjournal") # provides access to the systemd journal . @@yoursiem:1234 Ensure yoursiem:1234 points to the correct host and port for your network. Restart journald and rsyslogd: # systemctl restar rsyslog systemd-journald

✔️ Fix

Edit /etc/systemd/journald.conf to include at least these lines: [Journal] ForwardToSyslog=yes Edit /etc/rsyslog.conf to include these lines: module(load="imuxsock") # provides support for local system logging module(load="imjournal") # provides access to the systemd journal *.* @@yoursiem:1234 Ensure yoursiem:1234 points to the correct host and port for your network. Restart journald and rsyslogd: # systemctl restar rsyslog systemd-journald