SA audit: how to check if syslog or rsyslog active

Hi,

A client unix environment needs to ensure that either syslog or rsyslog is active.

SA Audit can be use to check their respective log file or running service - but this means 2 different audit policies. Since either one runs, one will be compliant and one will be non-compliant .

Question:
Any best practise on check if either syslog or rsyslog is active, and show compliance if either one is active.

Any suggestion or input welcomed.

Thank you.

sweeaun.lim@microfocus.com

ITOM PreSales, Singapore

  • Verified Answer

    Create your own custom script rule and run some shell script checking the exit code - if neither pass you get a return code of 1.
    I'm assuming here that each has its own configuration file.  I'm guessing, the files are not important, only how it's accomplished.

    test -f /etc/sysconfig/rsyslog || test -f /etc/sysconfig/syslog

    The success criteria for this script is exit code 0.