NGINX must off-load audit records to a central log server.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-278396 | NGNX-APP-001400 | SV-278396r1172699_rule | CCI-001851 | high |
| Description | ||||
| Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. Satisfies: SRG-APP-000358, SRG-APP-000125, SRG-APP-000515 | ||||
| STIG | Date | |||
| F5 NGINX Security Technical Implementation Guide | 2026-01-07 | |||
Details
Check Text (C-278396r1172699_chk)
Determine the path to NGINX config file(s):
# nginx -qT | grep "# configuration"
# configuration file /etc/nginx/nginx.conf:
Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included.
Verify that "syslog:server= prefix" is included in any log directive:
# cat <path to config>
Find the "error_log: or "access_log" directives and verify the syslog:server= prefix is included.
If "error_log" or "access_log" exists and does not include "syslog:server=", this is a finding.
Fix Text (F-82835r1172698_fix)
Determine the path to NGINX config file(s):
# nginx -qT | grep "# configuration"
# configuration file /etc/nginx/nginx.conf:
Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included.
Include the "syslog:server= prefix" (which can be a domain name, an IP address, or a UNIX-domain socket path. A domain name or IP address can be specified with a port to override the default port, 514. A UNIX-domain socket path can be specified after the unix: prefix:) in any log directives and configure the optional parameters (facility, tag, severity).
After saving the configuration, reload NGINX:
# nginx -s reload