Re: sending audit logs only to audit.log via rsyslog
On Wednesday, May 10, 2023 11:51:04 AM EDT kathy lyons wrote:
Great - so I don't need the line below in my rsyslog.conf file?
audit.* ~/var/log/audit/audit.log
No that's not needed. The whole problem is caused by journald. It connects to
a best effort multicast socket to get audit events. It then writes them to
rsyslog in addition to the journal. Meanwhile, auditd connects to the real
netlink interface and grabs events from the kernel and writes them to disk
itself. No one needs 3 separate audit logs.
After masking journald's audit socket, all need to do is have the audit
daemon enabled. Then everything should work out. And you should find that
audit events written by auditd have slightly better information.
-Steve
On Wed, May 10, 2023 at 9:51 AM Steve Grubb <sgrubb(a)redhat.com>
wrote:
> On Wednesday, May 10, 2023 9:43:04 AM EDT kathy lyons wrote:
> > Good morning. I am trying to get the audit logs to be written only to
> >
> > audit.log. Currently they are written to audit.log as well as syslog.
> > Here is my rsyslog.conf file - what am I doing wrong?
> >
> > module(load="imfile")
> > module(load="imklog")
> > module(load="imjournal")
> >
> > global(net.enableDNS="off"
workDirectory=/var/spool/rsyslog"
> >
> > maxMessageSize="128k")
> >
> > $IncludeConfig /etc/rsyslog.d/*.conf
> > $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
> >
> > ##################### rules
> >
> > audit.* ~/var/log/audit/audit.log
> > auth.warning;authpriv.info ~/var/log/auth.log
> > *.*;auth,authpriv.none ~/var/log/syslog
> > cron.info ~/var/log/cron.log
> > daemon.info ~/var/log/daemon.log
> > kern.* ~/var/log/kern.log
> > user.info ~/var/log/user.log
>
> The thing that is writing them to rsyslog is systemd-journald. You can
> stop
> this by running:
>
> systemctl mask systemd-journald-audit.socket
> systemctl stop systemd-journald-audit.socket
>
> Then you will only have logs written to the audit log.
>
> -Steve