Hi,

 

I am attempting to run auditd in centos7 inside a lxc container.

 

Here is the log I get when I run auditd –f

 

onfig file /etc/audit/auditd.conf opened for parsing

log_file_parser called with: /var/log/audit.log

log_format_parser called with: RAW

log_group_parser called with: root

priority_boost_parser called with: 4

flush_parser called with: INCREMENTAL

freq_parser called with: 20

num_logs_parser called with: 5

qos_parser called with: lossy

dispatch_parser called with: /usr/sbin/audispd

name_format_parser called with: NONE

max_log_size_parser called with: 6

max_log_size_action_parser called with: ROTATE

space_left_parser called with: 75

space_action_parser called with: SYSLOG

action_mail_acct_parser called with: root

admin_space_left_parser called with: 50

admin_space_left_action_parser called with: SUSPEND

disk_full_action_parser called with: SUSPEND

disk_error_action_parser called with: SUSPEND

tcp_listen_queue_parser called with: 5

tcp_max_per_addr_parser called with: 1

tcp_client_max_idle_parser called with: 0

enable_krb5_parser called with: no

GSSAPI support is not enabled, ignoring value at line 30

krb5_principal_parser called with: auditd

GSSAPI support is not enabled, ignoring value at line 31

Started dispatcher: /usr/sbin/audispd pid: 3028

type=DAEMON_START msg=audit(1522944040.042:592): op=start ver=2.8.4 format=raw kernel=3.10.0-693.17.1.el7.centos.plus.i686 auid=4294967295 pid=3026 uid=0 ses=4294967295 subj=system_u:system_r:init_t res=success

config_manager init complete

Error sending status request (Connection refused)

Error sending enable request (Connection refused)

type=DAEMON_ABORT msg=audit(1522944040.043:593): op=set-enable auid=4294967295 pid=3026 uid=0 ses=4294967295 subj=system_u:system_r:init_t res=failed

Unable to set initial audit startup state to 'enable', exiting

The audit daemon is exiting.

Error setting audit daemon pid (Connection refused)