There is a different default setting between rhel6 and 7. See
/etc/default/auditd I think has a parameter that controls the use of
/etc/audit/rules.d.
Sent from my mobile phone, please excuse the brevity.
On Apr 12, 2017, 7:19 AM, at 7:19 AM, "warron.french"
wrote:
>It appears that this dir
what is provided with logrotate is needed.
Stephen
On Thu, Jan 26, 2017 at 2:41 PM Bond Masuda <mailto:bond.mas...@jlbond.com>> wrote:
Thanks Steve for the suggestion. Unfortunately, even with my script
sending USR2 to auditd, i still get the same behavior
-0800
Bond Masuda wrote:
I configured space_left and space_left_action to run a script that
compresses and moves older audit log files from /var/log/audit. It
appears to work 1 time, and then doesn't work anymore until I kill
the auditd daemon and start it again.
Is this expected and/or de
Hello,
I configured space_left and space_left_action to run a script that
compresses and moves older audit log files from /var/log/audit. It
appears to work 1 time, and then doesn't work anymore until I kill the
auditd daemon and start it again.
Is this expected and/or desired behavior? I di
On 11/06/2015 11:12 AM, Steve Grubb wrote:
> On Friday, November 06, 2015 10:07:24 AM Bond Masuda wrote:
>> On 11/02/2015 03:32 PM, Steve Grubb wrote:
>>> I took a quick look at the code. I can't see how this is happening
>>> unless auditd is receiving a SIGUS
On 11/02/2015 03:32 PM, Steve Grubb wrote:
> I took a quick look at the code. I can't see how this is happening
> unless auditd is receiving a SIGUSR1 signal. You might want to put
> some syslog calls in to auditd-event.c log when auditd gets told to
> rotate so that it can be correlated to other
I'm seeing my /var/log/audit/audit.log getting rotated (I find a audit.1
or audit.2, etc. file) even though I have max_log_file_action=ignore.
Here's the full auditd.conf:
log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
flush = INCREMENTAL
freq = 20
num_log
i'm trying to figure out how costly it is to set flush=sync vs
incremental in auditd.conf. In theory, it would seem like it is more
expensive, but by how much? At what level of paranoia about not losing
audit logs does it make sense to use flush=sync or is it not much more
costly and one might as w
I'm writing a tool to put audit logs into a database. I can guess at the
format based on samples of logs I'm seeing, but I would feel better if I
could find documentation that shows all the different types of audit log
messages and what is in those messages.
Thanks
Bond
--
Linux-audit mailing lis
with linux audit, how do I monitor the deletion of directories? I am
already monitoring the unlink syscall, but it only seems to monitor
deleted files.
thanks
Bond
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
10 matches
Mail list logo