Re: sending audit logs only to audit.log via rsyslog
On Wednesday, May 10, 2023 11:51:04 AM EDT kathy lyons wrote: > Great - so I don't need the line below in my rsyslog.conf file? > > audit.* ~/var/log/audit/audit.log No that's not needed. The whole problem is caused by journald. It connects to a best effort multicast socket to get audit events. It then writes them to rsyslog in addition to the journal. Meanwhile, auditd connects to the real netlink interface and grabs events from the kernel and writes them to disk itself. No one needs 3 separate audit logs. After masking journald's audit socket, all need to do is have the audit daemon enabled. Then everything should work out. And you should find that audit events written by auditd have slightly better information. -Steve > On Wed, May 10, 2023 at 9:51 AM Steve Grubb wrote: > > On Wednesday, May 10, 2023 9:43:04 AM EDT kathy lyons wrote: > > > Good morning. I am trying to get the audit logs to be written only to > > > > > > audit.log. Currently they are written to audit.log as well as syslog. > > > Here is my rsyslog.conf file - what am I doing wrong? > > > > > > module(load="imfile") > > > module(load="imklog") > > > module(load="imjournal") > > > > > > global(net.enableDNS="off" workDirectory=/var/spool/rsyslog" > > > > > > maxMessageSize="128k") > > > > > >$IncludeConfig /etc/rsyslog.d/*.conf > > >$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat > > > > > > # rules > > > > > > audit.* ~/var/log/audit/audit.log > > > auth.warning;authpriv.info ~/var/log/auth.log > > > *.*;auth,authpriv.none ~/var/log/syslog > > > cron.info ~/var/log/cron.log > > > daemon.info~/var/log/daemon.log > > > kern.* ~/var/log/kern.log > > > user.info ~/var/log/user.log > > > > The thing that is writing them to rsyslog is systemd-journald. You can > > stop > > this by running: > > > > systemctl mask systemd-journald-audit.socket > > systemctl stop systemd-journald-audit.socket > > > > Then you will only have logs written to the audit log. > > > > -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
Re: sending audit logs only to audit.log via rsyslog
Great - so I don't need the line below in my rsyslog.conf file? audit.* ~/var/log/audit/audit.log On Wed, May 10, 2023 at 9:51 AM Steve Grubb wrote: > On Wednesday, May 10, 2023 9:43:04 AM EDT kathy lyons wrote: > > Good morning. I am trying to get the audit logs to be written only to > > audit.log. Currently they are written to audit.log as well as syslog. > > Here is my rsyslog.conf file - what am I doing wrong? > > > > module(load="imfile") > > module(load="imklog") > > module(load="imjournal") > > > > global(net.enableDNS="off" workDirectory=/var/spool/rsyslog" > > maxMessageSize="128k") > > > >$IncludeConfig /etc/rsyslog.d/*.conf > >$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat > > > > # rules > > audit.* ~/var/log/audit/audit.log > > auth.warning;authpriv.info ~/var/log/auth.log > > *.*;auth,authpriv.none ~/var/log/syslog > > cron.info ~/var/log/cron.log > > daemon.info~/var/log/daemon.log > > kern.* ~/var/log/kern.log > > user.info ~/var/log/user.log > > The thing that is writing them to rsyslog is systemd-journald. You can > stop > this by running: > > systemctl mask systemd-journald-audit.socket > systemctl stop systemd-journald-audit.socket > > Then you will only have logs written to the audit log. > > -Steve > > > -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
Re: sending audit logs only to audit.log via rsyslog
On Wednesday, May 10, 2023 9:43:04 AM EDT kathy lyons wrote: > Good morning. I am trying to get the audit logs to be written only to > audit.log. Currently they are written to audit.log as well as syslog. > Here is my rsyslog.conf file - what am I doing wrong? > > module(load="imfile") > module(load="imklog") > module(load="imjournal") > > global(net.enableDNS="off" workDirectory=/var/spool/rsyslog" > maxMessageSize="128k") > >$IncludeConfig /etc/rsyslog.d/*.conf >$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat > > # rules > audit.* ~/var/log/audit/audit.log > auth.warning;authpriv.info ~/var/log/auth.log > *.*;auth,authpriv.none ~/var/log/syslog > cron.info ~/var/log/cron.log > daemon.info~/var/log/daemon.log > kern.* ~/var/log/kern.log > user.info ~/var/log/user.log The thing that is writing them to rsyslog is systemd-journald. You can stop this by running: systemctl mask systemd-journald-audit.socket systemctl stop systemd-journald-audit.socket Then you will only have logs written to the audit log. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
sending audit logs only to audit.log via rsyslog
Good morning. I am trying to get the audit logs to be written only to audit.log. Currently they are written to audit.log as well as syslog. Here is my rsyslog.conf file - what am I doing wrong? module(load="imfile") module(load="imklog") module(load="imjournal") global(net.enableDNS="off" workDirectory=/var/spool/rsyslog" maxMessageSize="128k") $IncludeConfig /etc/rsyslog.d/*.conf $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # rules audit.* ~/var/log/audit/audit.log auth.warning;authpriv.info ~/var/log/auth.log *.*;auth,authpriv.none ~/var/log/syslog cron.info ~/var/log/cron.log daemon.info~/var/log/daemon.log kern.* ~/var/log/kern.log user.info ~/var/log/user.log -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit