I am trying to log only to a remote machine so I have set:

write_logs = no

in my auditd.conf. Unfortunately, when I restart auditd it does not appear

to respect my configuration choice.

When I run it with 'auditd -f' to keep it in the foreground, it does not write the file and i see :

write_logs_parser called with: no

in the output.

Looking at the source, I see:

        if (opt_foreground) {
                config.daemonize = D_FOREGROUND;
                set_aumessage_mode(MSG_STDERR, DBG_YES);
        } else {
                config.daemonize = D_BACKGROUND;
                set_aumessage_mode(MSG_SYSLOG, DBG_NO);
                (void) umask( umask( 077 ) | 022 );
        }

It seems I cannot get messages logged with LOG_DEBUG without running in foreground mode (in which case the bug does not appear to be triggered) or recompiling auditd.

I have included the output of auditd -f and also my auditd.conf.