Skip to content

Forward logs to a centralized logging server for monitoring and alerting.

389-LM-003 - severity: medium

Field Value
Control ID 389-LM-003
Severity medium
Type detective
Owner IT Operations
Status authored
NIST 800-53 AU-4, AU-6
DISA SRG SRG-APP-000358

Rationale

Log files stored exclusively on the directory server host are a single point of failure for the entire audit record: a compromised attacker with root access can truncate or delete them before responders arrive, and hardware failure destroys them entirely. Forwarding access, error, and audit logs to an external, append-only collector severs the attacker's ability to cover their tracks and ensures evidence survives the loss of the original host. Central aggregation also enables cross-source correlation - detecting lateral movement that spans the directory server, firewalls, and application logs in ways that silo'd local files cannot. This satisfies NIST SP 800-53 AU-4 (audit log storage capacity) and AU-6 (audit review and analysis) by placing logs under SIEM supervision with the capacity, retention, and alerting infrastructure of the central platform.

Check

Confirm an rsyslog (or equivalent) rule is shipping the directory server logs to a central collector.

grep -r dirsrv /etc/rsyslog.d/ 2>/dev/null

Remediation

Configure rsyslog to forward the directory server logs to the central collector.

cat >/etc/rsyslog.d/389ds.conf <<'EOF'
module(load="imfile")
input(type="imfile" File="/var/log/dirsrv/slapd-<instance>/access" Tag="389ds-access")
input(type="imfile" File="/var/log/dirsrv/slapd-<instance>/errors" Tag="389ds-errors")
input(type="imfile" File="/var/log/dirsrv/slapd-<instance>/audit" Tag="389ds-audit")
*.* @@<central_collector>:514
EOF
systemctl restart rsyslog

References

Implementation Notes

This control is an OS-level configuration; there are no dsconf attributes to set. The rsyslog imfile module tails flat log files and re-emits lines as syslog messages - it is the standard approach on Red Hat/Fedora-lineage systems where 389DS runs. Replace <central_collector> with the FQDN or IP of your SIEM or syslog receiver. The illustrated rule uses TCP syslog (@@); for production use, wrap the transport in TLS (rsyslog's omfwd with StreamDriver=gtls) to prevent interception or spoofing in transit. The exact log file names are access, errors, and audit under /var/log/dirsrv/slapd-<instance>/; verify filenames on your deployment. When the audit log is not yet enabled, forward it once 389-LM-001 is applied. Ensure the central collector has sufficient capacity and retention to satisfy the policy defined in 389-LM-002.