Great - so I don't need the line below in my rsyslog.conf file?
audit.* ~/var/log/audit/audit.log
On Wed, May 10, 2023 at 9:51 AM Steve Grubb <[email protected]> wrote:
> On Wednesday, May 10, 2023 9:43:04 AM EDT kathy lyons wrote:
> > Good morning. I am trying to get the audit logs to be written only to
> > audit.log. Currently they are written to audit.log as well as syslog.
> > Here is my rsyslog.conf file - what am I doing wrong?
> >
> > module(load="imfile")
> > module(load="imklog")
> > module(load="imjournal")
> >
> > global(net.enableDNS="off" workDirectory=/var/spool/rsyslog"
> > maxMessageSize="128k")
> >
> > $IncludeConfig /etc/rsyslog.d/*.conf
> > $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
> >
> > ##################### rules
> > audit.* ~/var/log/audit/audit.log
> > auth.warning;authpriv.info ~/var/log/auth.log
> > *.*;auth,authpriv.none ~/var/log/syslog
> > cron.info ~/var/log/cron.log
> > daemon.info ~/var/log/daemon.log
> > kern.* ~/var/log/kern.log
> > user.info ~/var/log/user.log
>
> The thing that is writing them to rsyslog is systemd-journald. You can
> stop
> this by running:
>
> systemctl mask systemd-journald-audit.socket
> systemctl stop systemd-journald-audit.socket
>
> Then you will only have logs written to the audit log.
>
> -Steve
>
>
>
--
Linux-audit mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/linux-audit
