Re: Audit not taking rules
On Wednesday 02 July 2008 18:44:49 Bo wrote:
I have RHEL 4 install (update 5).
[root@master ~]# service auditd restart
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
Error sending watch insert request (Invalid argument)
There was an error in line 26 of /etc/audit.rules
What is in line 26 of the rules?
Can anyone point me to a solution?
audit version 1.0.15
kernel 2.6.22.5
This is not a RHEL4 kernel. You need to use RHEL4's kernel with the RHEL4 user
space audit tools. This is undoubtedly the problem. The audit system evolved
over time and some things were deprecated and some things were added. The
user space tools hide this as long as you use the right ones.
-Steve