Re: Double addition of rule yields two log messages
>Speaking of ausearch, I just noticed that it emits this message:
>>
>> # /sbin/ausearch -m CONFIG_CHANGE -i
>> Warning - freq is non-zero and incremental flushing not selected.
That comes from the config file parser. You've got a problem
in /etc/audit/auditd.conf that should be fixed.
Its true that my auditd.conf (which I don't think I've ever
modified) has freq = 20 and flush = SYNC. I assume that SYNC
means that freq is ignored. The manpage says freq is only valid
if flush=incremental so it seems like an unnecessary warning.
But why does ausearch care? Seems like if anything cared it
would be the auditd but I can't find an error or warning from
it anywhere. Seems really odd that this message comes from
ausearch.
-- ljk