ComplianceAsCode · jan-cerny · Nov 12, 2025 · Oct 29, 2025 · Oct 31, 2025 · Oct 31, 2025
diff --git a/...x_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml b/...x_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml
@@ -10,7 +10,7 @@
   </definition>
 
 {{% set rsyslog_remote_loghost_old_regex="^\*\.\*[\s]+(?:@|\:omrelp\:)" %}}
-{{% set rsyslog_remote_loghost_rainer_regex="(?m)^\\s*\\*\\.\\*\\s+action\\(\\s*.*(?i)\\btype\\b(?-i)=\"omfwd\"\\s*.*(?i)\\btarget\\b(?-i)=\"\\S+\"\\s*.*\\)\\s*$" %}}
+{{% set rsyslog_remote_loghost_rainer_regex="(?ms)^\\s*\\*\\.\\*\\s+action\\(\\s*.*(?i)\\btype\\b(?-i)=\"omfwd\"\\s*.*(?i)\\btarget\\b(?-i)=\"\\S+\"\\s*.*\\)\\s*$" %}}
 
   <!-- NIST scapval validation tool complains that a variable passed to
   rsyslog_remote_loghost OVAL check from the XCCDF Rule doesn't have

diff --git a/...og_sending_messages/rsyslog_remote_loghost/tests/remote_configured_rainer_newline.pass.sh b/...og_sending_messages/rsyslog_remote_loghost/tests/remote_configured_rainer_newline.pass.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# packages = rsyslog
+
+CONF_FILE="/etc/rsyslog.conf"
+LOGHOST_LINE=$'*.* action(type="omfwd"\nqueue.type="linkedlist"\nqueue.filename="example_fwd"\naction.resumeRetryCount="-1"\nqueue.saveOnShutdown="on"\ntarget="192.168.122.1"\nport="30514"\nprotocol="tcp")'
+
+if grep -q "^\*\.\*" "$CONF_FILE"; then
+	sed -i "s|^\*\.\*.*|$LOGHOST_LINE|" "$CONF_FILE"
+else
+	echo "$LOGHOST_LINE" >> "$CONF_FILE"
+fi