Thanks you so much for the quick response. I just want to send out this email. Because I use auditd -f to find out it was still the permission issue of audit.log.

What I wanted to do is let someone else able to read the audit.log other than root. Should I change the log_group setting ? It seems audit.log permission is 0600. Only root can read it.

On Fri, Aug 16, 2013 at 11:43 AM, Steve Grubb <sgrubb@redhat.com> wrote:

On Friday, August 16, 2013 11:38:32 AM zhu xiuming wrote:
> HI
> Suddently, my auditd can't start. I do not know why.
> I remember I changed some permission settings on /var/log/audit. However,
> even I change it back, the auditd cann't be started.
>
> I looked at the audit.log. It only shows the daemon is closed successfully
>
> I wonder whether there is other log file I should look.

Its writes failure messages to /var/log/messages. I sometimes troubleshoot
issues by starting the daemon by hand in the foreground mode so that
everything is written to the screen. /sbin/auditd -f

-Steve