Re: Why aren't SYSCALLS being logged in CentOS kernel (any ideas?)

Friday, 31 August 2007

Steve,

Once again...Thank you very much.  I did not realize that audit.rules had been 
placed in a new location.  I moved audit.rules to /etc/audit, restarted auditd 
and everything looks like it works fine.

Much thanks again!

Bob

Steve Grubb wrote:
...
 On Friday 31 August 2007 13:35:22 Robert Evans wrote:
  > Hmmm....tried auditctl -l and just got
  >
  >    No rules

 OK, that's a start.

  > Since I have /etc/audit.rules in place, does that indicate the syscall
  > auditing part of the kernel is compiled in.

 Well, that file is for user space. But on RHEL5, that file's location has
 changed. So maybe that is your problem? It should be:

 /etc/audit/audit.rules

 But, you can load the rules where they are by hand:

 auditctl -R /etc/audit.rules

 to make sure its working. See if that doesn't fix your problem.

 -Steve

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Re: Why aren't SYSCALLS being logged in CentOS kernel (any ideas?)