Re: auditd log files

[Steve Grubb <sgrubb@redhat.com>]

On Wednesday, March 09, 2011 12:46:26 am Brian Ross wrote:
> I would like to know how I can read the auditd log files stored in
> /var/log/audit.d.

Ausearch is the utility that is meant to display the individual records. However, I 
would start any investigation with aureport --start today --summary   and then see 
what category is having the most events. Each category has its own report. Each report 
has 2 modes, summary and all events. I use the summary to get an idea and then move to 
ausearch when I need to. I have some notes on doing an investigation in the 
audit.rules man page.

Also, The audit daemon is recommended to have /var/log/audit as its own partition to 
prevent problems like you are seeing. It also makes the audit daemon's operation 
better because it calculates the amount of space left for the actions programmed in 
for space_left_action and disk_full_action.

> I have a problem where the auditd system seems to go haywire, fills the
> /var filesystem up to its maximum allowed 80% and then starts to try and
> delete the old log files but the /var filesystem keeps filling up, at
> which point it ceases execution and then I have SysEdge reporting a
> massive CPU load and the whole server locks up.
> 
> I believe the auditd system's behavior is symptomatic, rather than the
> cause of the problem.   I note that the auditd log files are in some
> binary format.  Is there a means to read them?

They are text records with an occasional field in a special encoding to prevent log 
injection attacks. 

-Steve