On Sun, 28.12.14 12:45, Martin Pitt (martin.p...@ubuntu.com) wrote: > Hello all, > > systemd 218 now enables audit in the kernel unconditionally [1]. While > these messages might be nice to have in the journal, they literally > flood dmesg and thus /var/log/syslog and friends with messages like > > [39098.129349] audit: type=1105 audit(1419765421.403:4233): pid=25633 uid=0 > auid=0 ses=20 msg='op=PAM:session_open acct="root" exe="/usr/sbin/cron" > hostname=? addr=? terminal=cron res=success' > > $ dmesg |grep -c audit > 786 > > and more importantly, eats a lot of real kernel/daemon messages due to > rate limiting: I have many dozen messages like > > [37444.978307] audit_printk_skb: 222 callbacks suppressed > > and they demonstrably cause e. g. AppArmor violations to not get shown > due to this. > > Is there a way to make the audit messages *only* go to the journal, > but not to dmesg and sysloggers? If not, could we perhaps add a > ./configure or config file option for this, to disable audit on > systems where we don't need it?
This is a known limitation of the in-kernel audit code, and is being tracked here. Needs to be fixed in the kernel. https://bugzilla.redhat.com/show_bug.cgi?id=1160046 Fix should be easy enough, but so far nobody looked into this yet. Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel