Hi,
I am attempting to run auditd in centos7 inside a lxc container.
Here is the log I get when I run auditd –f
onfig file /etc/audit/auditd.conf opened for parsing
log_file_parser called with: /var/log/audit.log
log_format_parser called with: RAW
log_group_parser called with: root
priority_boost_parser called with: 4
flush_parser called with: INCREMENTAL
freq_parser called with: 20
num_logs_parser called with: 5
qos_parser called with: lossy
dispatch_parser called with: /usr/sbin/audispd
name_format_parser called with: NONE
max_log_size_parser called with: 6
max_log_size_action_parser called with: ROTATE
space_left_parser called with: 75
space_action_parser called with: SYSLOG
action_mail_acct_parser called with: root
admin_space_left_parser called with: 50
admin_space_left_action_parser called with: SUSPEND
disk_full_action_parser called with: SUSPEND
disk_error_action_parser called with: SUSPEND
tcp_listen_queue_parser called with: 5
tcp_max_per_addr_parser called with: 1
tcp_client_max_idle_parser called with: 0
enable_krb5_parser called with: no
GSSAPI support is not enabled, ignoring value at line 30
krb5_principal_parser called with: auditd
GSSAPI support is not enabled, ignoring value at line 31
Started dispatcher: /usr/sbin/audispd pid: 3028
type=DAEMON_START msg=audit(1522944040.042:592): op=start ver=2.8.4 format=raw kernel=3.10.0-693.17.1.el7.centos.plus.i686 auid=4294967295 pid=3026 uid=0 ses=4294967295 subj=system_u:system_r:init_t res=success
config_manager init complete
Error sending status request (Connection refused)
Error sending enable request (Connection refused)
type=DAEMON_ABORT msg=audit(1522944040.043:593): op=set-enable auid=4294967295 pid=3026 uid=0 ses=4294967295 subj=system_u:system_r:init_t res=failed
Unable to set initial audit startup state to 'enable', exiting
The audit daemon is exiting.
Error setting audit daemon pid (Connection refused)