* Can't get syslog built-in plugin to post messages to syslog
@ 2013-09-10 5:42 Peter Butler
2013-09-11 0:17 ` Steve Grubb
0 siblings, 1 reply; 2+ messages in thread
From: Peter Butler @ 2013-09-10 5:42 UTC (permalink / raw)
To: linux-audit
I can't get syslog built-in plugin to post messages to syslog.
My syslog.conf plugin file is:
active = yes
direction = out
path = builtin_syslog
type = builtin
args = LOG_INFO LOG_LOCAL3
format = string
Presumably the file is indeed being parsed by the user-space audit daemon, as after having changed 'active' to 'yes' (and restarted the system), I see the audit daemon has started up the child process audispd, as required.
The audit daemon is indeed logging the audit logs to /var/log/audit/audit.log, but is not also sending them to syslog as configured.
For what it's worth I am using rsyslog rather than syslog but I assume this makes no difference (?).
The rsyslog configuration for the audit logs is straightforward - the line in question being:
local3.* /var/log/audit_trail
I assume my rsyslog is configured properly as I can send a message to LOG_LOCAL3 from the command-line using 'logger' and the message appears in /var/log/audit_trail. But the audit logs never do.
I have the following packages installed:
audit-2.2.1-1
audispd-plugins-2.2.1-1
audit-libs-2.2.1-1
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Can't get syslog built-in plugin to post messages to syslog
2013-09-10 5:42 Can't get syslog built-in plugin to post messages to syslog Peter Butler
@ 2013-09-11 0:17 ` Steve Grubb
0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2013-09-11 0:17 UTC (permalink / raw)
To: linux-audit
On Tuesday, September 10, 2013 01:42:00 AM Peter Butler wrote:
> I can't get syslog built-in plugin to post messages to syslog.
>
> My syslog.conf plugin file is:
>
> active = yes
> direction = out
> path = builtin_syslog
> type = builtin
> args = LOG_INFO LOG_LOCAL3
> format = string
>
> Presumably the file is indeed being parsed by the user-space audit daemon,
> as after having changed 'active' to 'yes' (and restarted the system), I see
> the audit daemon has started up the child process audispd, as required.
>
> The audit daemon is indeed logging the audit logs to
> /var/log/audit/audit.log, but is not also sending them to syslog as
> configured.
https://fedorahosted.org/audit/browser/trunk/audisp/audispd-builtins.c#L256
Turns out that you can pass the priority, but not the facility. So, your
events are wherever the LOG_USER facility is sending them. This probably
should be documented better.
-Steve
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2013-09-11 0:17 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-09-10 5:42 Can't get syslog built-in plugin to post messages to syslog Peter Butler
2013-09-11 0:17 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox