Disabling local logging with write_logs = no

Disabling local logging with write_logs = no

[Kay Mccormick]

[-- Attachment #1.1: Type: text/plain, Size: 925 bytes --]

I am trying to log only to a remote machine so I have set:

write_logs = no

in my auditd.conf. Unfortunately, when I restart auditd it does not appear
to respect my configuration choice.

When I run it with 'auditd -f' to keep it in the foreground, it does not
write the file and i see :

write_logs_parser called with: no
in the output.

Looking at the source, I see:

        if (opt_foreground) {
                config.daemonize = D_FOREGROUND;
                set_aumessage_mode(MSG_STDERR, DBG_YES);
        } else {
                config.daemonize = D_BACKGROUND;
                set_aumessage_mode(MSG_SYSLOG, DBG_NO);
                (void) umask( umask( 077 ) | 022 );
        }

It seems I cannot get messages logged with LOG_DEBUG without running in
foreground mode (in which case the bug does not appear to be triggered) or
recompiling auditd.

I have included the output of auditd -f and also my auditd.conf.

[-- Attachment #1.2: Type: text/html, Size: 1375 bytes --]

[-- Attachment #2: audit-out.txt --]
[-- Type: text/plain, Size: 1351 bytes --]

Config file /etc/audit/auditd.conf opened for parsing
local_events_parser called with: no
write_logs_parser called with: no
log_group_parser called with: root
log_format_parser called with: RAW
flush_parser called with: INCREMENTAL_ASYNC
freq_parser called with: 50
max_log_size_parser called with: 8
num_logs_parser called with: 5
priority_boost_parser called with: 4
qos_parser called with: lossy
dispatch_parser called with: /sbin/audispd
name_format_parser called with: user
name_parser called with: netra.heptet.us
max_log_size_action_parser called with: IGNORE
space_left_parser called with: 75
space_action_parser called with: SYSLOG
action_mail_acct_parser called with: root
admin_space_left_parser called with: 50
admin_space_left_action_parser called with: SUSPEND
disk_full_action_parser called with: SUSPEND
disk_error_action_parser called with: SUSPEND
use_libwrap_parser called with: yes
tcp_listen_queue_parser called with: 5
tcp_max_per_addr_parser called with: 1
tcp_client_max_idle_parser called with: 0
enable_krb5_parser called with: no
krb5_principal_parser called with: auditd
distribute_network_parser called with: no
Started dispatcher: /sbin/audispd pid: 2243
Resolved node name: netra.heptet.us
config_manager init complete
Init complete, auditd 2.6.7 listening for events (startup state enable)
The audit daemon is exiting.

[-- Attachment #3: auditd.conf --]
[-- Type: application/octet-stream, Size: 773 bytes --]

#
# This file controls the configuration of the audit daemon
#

local_events = no
write_logs = no
#log_file = /dev/null
log_group = root
log_format = RAW
flush = INCREMENTAL_ASYNC
freq = 50
max_log_file = 8
num_logs = 5
priority_boost = 4
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = user
name = netra.heptet.us
max_log_file_action = IGNORE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
use_libwrap = yes
##tcp_listen_port = 
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
distribute_network = no

[-- Attachment #4: Type: text/plain, Size: 0 bytes --]

Re: Disabling local logging with write_logs = no

[Steve Grubb]

On Monday, December 3, 2018 2:13:43 AM EST Kay Mccormick wrote:
> I am trying to log only to a remote machine so I have set:
> 
> write_logs = no
> 
> in my auditd.conf. Unfortunately, when I restart auditd it does not appear
> to respect my configuration choice.

Accoring to your output, you are running auditd-2.6.7. It has this known bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1382397


> When I run it with 'auditd -f' to keep it in the foreground, it does not
> write the file and i see :
> 
> write_logs_parser called with: no
> in the output.
>
> Looking at the source, I see:
> 
>         if (opt_foreground) {
>                 config.daemonize = D_FOREGROUND;
>                 set_aumessage_mode(MSG_STDERR, DBG_YES);
>         } else {
>                 config.daemonize = D_BACKGROUND;
>                 set_aumessage_mode(MSG_SYSLOG, DBG_NO);
>                 (void) umask( umask( 077 ) | 022 );
>         }
> 
> It seems I cannot get messages logged with LOG_DEBUG without running in
> foreground mode (in which case the bug does not appear to be triggered) or
> recompiling auditd.

Generally you do not need the debug messages because if auditd has any real 
problems it writes to syslog. The debug are generally very low level details 
like parsing outcome for the config file.

> I have included the output of auditd -f and also my auditd.conf.

This output also shows that you have local_events = no. That means that it 
will not register with the kernel to receive local events. Normally this is 
used when you have auditd in a container and it does not have access to the 
kernel's audit interface. It allows auditd to run in a container to be an 
aggregating server for other audit daemons. That is probably not what you 
intended.

To prevent writing to logs, then you would set write_logs = no. However, the 
old version you are running has a bug. You'll need to upgrade to a newer 
version of auditd. There have been many bugfixes and improvements since 2.6.7.

Also, if you are doing remove logging, you probably want to be using the 
enriched data format. This is achieved by setting log_format = ENRICHED. This 
collects local information and adds it to the event so remote systems can 
make sense of the events where uid/gid changes between machines.

Hope this helps...

-Steve