After many experiments, I discovered an inconspicuous syntax error in audit.rules Here are two seemingly identical lines: -a exit,always -F arch=b64 -F euid=0 -S execve –k root_actions -a exit,always -F arch=b64 -F euid=0 -S execve -k root_actions
Their only difference is that in the first line (copy-pasted from another source), the dash before "–k" is not the standard dash character, although it appears exactly the same in the console. When changing to a standard dash, the mentioned error is "error in line 6 of /etc/audit/audit.rules" was eliminated. I absolutely don`t understand the role of Rsyslog configuration changes in this. But paradoxically, this error in the dash character only manifests itself in this case. Before that, a string with a non-standard dash in audit.rules was accepted by auditd without problems on both my servers. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1867372 Title: Auditd failed when changing the Rsyslog configuration To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/audit/+bug/1867372/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs