For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-m0n.md. A documentation index is available at /llms.txt.

Ensure journald and rsyslog Are Not Active Together

Description

Ensure that exactly one logging system is active. Running both rsyslog and systemd-journald simultaneously can lead to duplicate logging, resource contention, and configuration conflicts. Running neither service means no logging is occurring, which is also a violation.

systemctl is-active rsyslog systemd-journald

The command should return exactly one active service. Both services should not be active at the same time, and at least one must be active.

Rationale

Running multiple logging systems concurrently can cause conflicts, resource contention, and inconsistent logging behavior. Systems should use either rsyslog or systemd-journald, but not both simultaneously. This ensures predictable logging behavior and prevents potential issues with log duplication or loss.

Warning

This rule does not come with a remediation. The choice of logging system (rsyslog vs systemd-journald) is an architectural decision that should be made based on organizational requirements. Use service_rsyslog_enabled/disabled or service_systemd-journald_enabled rules to configure the desired logging system.