Great - so I don't need the line below in my rsyslog.conf file?

                 audit.*               ~/var/log/audit/audit.log

On Wed, May 10, 2023 at 9:51 AM Steve Grubb <sgrubb@redhat.com> wrote:
On Wednesday, May 10, 2023 9:43:04 AM EDT kathy lyons wrote:
>  Good morning.  I am trying to get the audit logs to be written only to
> audit.log.  Currently they are written to audit.log as well as syslog.
> Here is my rsyslog.conf file - what am I doing wrong?
>
>     module(load="imfile")
>     module(load="imklog")
>     module(load="imjournal")
>
>     global(net.enableDNS="off" workDirectory=/var/spool/rsyslog"
> maxMessageSize="128k")
>
>    $IncludeConfig /etc/rsyslog.d/*.conf
>    $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>
>   ##################### rules
>     audit.*                                 ~/var/log/audit/audit.log
>     auth.warning;authpriv.info   ~/var/log/auth.log
>     *.*;auth,authpriv.none           ~/var/log/syslog
>     cron.info                               ~/var/log/cron.log
>     daemon.info                        ~/var/log/daemon.log
>     kern.*                                  ~/var/log/kern.log
>     user.info                             ~/var/log/user.log

The thing that is writing them to rsyslog is systemd-journald. You can stop
this by running:

systemctl mask systemd-journald-audit.socket
systemctl stop systemd-journald-audit.socket

Then you will only have logs written to the audit log.

-Steve