Hey Ryan,

If I put "audit.none" in /etc/rsyslog.conf for the /var/log/messages line, it prevents audisp from logging there even though audisp to syslog is turned on.

Our end state is pretty simple, in theory. We want to have 1 copy of audit events on the system for auditing and send a remote copy elsewhere.

On Tue, Oct 4, 2016 at 11:04 AM, Ryan Sawhill <rsawhill@redhat.com> wrote:

On Tue, Oct 4, 2016 at 10:58 AM, leam hall <leamhall@gmail.com> wrote:
Sort of a followup question. I'm surprised adding "audit.none" to the "/var/log/messages" line of rsyslog.conf (RHEL 6) works. I didn't think audit was a full "facility" in whatever rsyslog looks at. Am I more confused than normal?

It's not. If you look at your main log you should see a message from rsyslogd saying something like "unknown facility 'audit'".

Mind on a Mission