Great - so I don't need the line below in my rsyslog.conf file? audit.* ~/var/log/audit/audit.log
On Wed, May 10, 2023 at 9:51 AM Steve Grubb <sgr...@redhat.com> wrote: > On Wednesday, May 10, 2023 9:43:04 AM EDT kathy lyons wrote: > > Good morning. I am trying to get the audit logs to be written only to > > audit.log. Currently they are written to audit.log as well as syslog. > > Here is my rsyslog.conf file - what am I doing wrong? > > > > module(load="imfile") > > module(load="imklog") > > module(load="imjournal") > > > > global(net.enableDNS="off" workDirectory=/var/spool/rsyslog" > > maxMessageSize="128k") > > > > $IncludeConfig /etc/rsyslog.d/*.conf > > $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat > > > > ##################### rules > > audit.* ~/var/log/audit/audit.log > > auth.warning;authpriv.info ~/var/log/auth.log > > *.*;auth,authpriv.none ~/var/log/syslog > > cron.info ~/var/log/cron.log > > daemon.info ~/var/log/daemon.log > > kern.* ~/var/log/kern.log > > user.info ~/var/log/user.log > > The thing that is writing them to rsyslog is systemd-journald. You can > stop > this by running: > > systemctl mask systemd-journald-audit.socket > systemctl stop systemd-journald-audit.socket > > Then you will only have logs written to the audit log. > > -Steve > > >
-- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit