Hmm I mean, I checked the source code, When audit queue is full, it uses printk + NOTICE, so I think I could just drop every log that is >= kern.notice
On Tue, Jan 21, 2014 at 11:12 PM, Richard Guy Briggs <[email protected]> wrote: > On 14/01/21, Aaron Lewis wrote: >> Sorry I mean, kauditd. >> >> I already killed the auditd daemon, only kernel thread is running >> >> On Tue, Jan 21, 2014 at 3:59 PM, Aaron Lewis <[email protected]> >> wrote: >> > Hi, >> > >> > I'm trying to suppress logs from auditd with sysctl options, >> > >> > So I set kernel.printk to 4 4 4 4 >> > >> > And modified KLOGD_OPTIONS to "-x -c 4" >> > >> > Then I restarted syslogd and klogd >> > >> > But I still see auditd logs piling up, anything wrong? auditd is using >> > kenrel.notice for sure > > It'll be hard to seperate the kaudit messages in syslog because it will > come through as a kernel type (as opposed to any other type syslog knows > how to filter), unless you can filter on "kernel: audit: ", since audit: > is a "subtype" of kernel. > >> > Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/ > >> Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/ > > - RGB > > -- > Richard Guy Briggs <[email protected]> > Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, > Red Hat > Remote, Ottawa, Canada > Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 -- Best Regards, Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/ Finger Print: 9F67 391B B770 8FF6 99DC D92D 87F6 2602 1371 4D33 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
