From mboxrd@z Thu Jan 1 00:00:00 1970 From: Brian Ross Subject: auditd log files Date: Wed, 9 Mar 2011 13:46:26 +0800 Message-ID: <6BE4AAFB10DD834E8F60D36312048EAA01781649FED6@PDCPXMB003.asggroup.com.au> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8076917016163097742==" Return-path: Received: from mx1.redhat.com (ext-mx11.extmail.prod.ext.phx2.redhat.com [10.5.110.16]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id p296G0Gt011020 for ; Wed, 9 Mar 2011 01:16:00 -0500 Received: from cao018mcs.asggroup.com.au ([203.176.101.3]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id p296FoWh002677 for ; Wed, 9 Mar 2011 01:15:50 -0500 Content-Language: en-US List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com --===============8076917016163097742== Content-Language: en-US Content-Type: multipart/related; boundary="_004_6BE4AAFB10DD834E8F60D36312048EAA01781649FED6PDCPXMB003a_"; type="multipart/alternative" --_004_6BE4AAFB10DD834E8F60D36312048EAA01781649FED6PDCPXMB003a_ Content-Type: multipart/alternative; boundary="_000_6BE4AAFB10DD834E8F60D36312048EAA01781649FED6PDCPXMB003a_" --_000_6BE4AAFB10DD834E8F60D36312048EAA01781649FED6PDCPXMB003a_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I would like to know how I can read the auditd log files stored in /var/log= /audit.d. I have a problem where the auditd system seems to go haywire, fills the /va= r filesystem up to its maximum allowed 80% and then starts to try and delet= e the old log files but the /var filesystem keeps filling up, at which poin= t it ceases execution and then I have SysEdge reporting a massive CPU load = and the whole server locks up. I believe the auditd system's behavior is symptomatic, rather than the caus= e of the problem. I note that the auditd log files are in some binary for= mat. Is there a means to read them? cheers Brian Ross Technical Consultant ASG Group Limited Level 1 / 267 St Georges Tce. Perth, WA, 6000 Telephone +61 8 9420 5451 Mobile +61 0434 181 701 Facsimile +61 8 9420 5422 Brian.Ross@asggroup.com.au http://www.asggroup.com.au/ [cid:image001.gif@01CBDE5F.519A30B0] Confidentiality Notice: The information contained in this message is strict= ly confidential. It is intended only for the use of the individual or entit= y named above. If the reader is not the intended recipient, or the authoris= ed agent thereof, you are hereby notified that any disclosure, use, distrib= ution or copying of the within information is strictly prohibited. If you h= ave received this message in error, please notify us immediately by telepho= ne and delete all copies of the original message. P PLEASE CONSIDER THE ENVIRONMENT BEFORE YOU PRINT THIS E-MAIL --_000_6BE4AAFB10DD834E8F60D36312048EAA01781649FED6PDCPXMB003a_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

I wou= ld like to know how I can read the auditd log files stored in /var/log/audit.d.

=

I hav= e a problem where the auditd system seems to go haywire, fills the /var filesys= tem up to its maximum allowed 80% and then starts to try and delete the old log files but the /var filesystem keeps filling up, at which point it ceases execution and then I have SysEdge reporting a massive CPU load and the whol= e server locks up.

=

I bel= ieve the auditd system’s behavior is symptomatic, rather than the cause of the problem. I note that the auditd log files are in some binary format. Is there a means to read them?

=

=

cheer= s

=

Brian Ross
Technical Consultant

ASG Group Limited
Level 1 / 267 St Georges Tce.
Perth, WA, 6000
Telephone &nb= sp; +61 8 9420 5451

Mobile = +61 0434 181 701

Facsimile &nb= sp; +61 8 9420 5422

Brian.Ross@asggroup.com.au

http://www.asggroup.com.au/

3D"cid:3367564908_5859578" <= /span>
Confidentiality Notice: The information contained in this message is strictly confidential. It is intended only for the use of the individual or entity named above. If the reader is not the intended recipie= nt, or the authorised agent thereof, you are hereby notified that any disclosur= e, use, distribution or copying of the within information is strictly prohibit= ed. If you have received this message in error, please notify us immediately by telephone and delete all copies of the original message.
P <= span lang=3DEN-AU style=3D'font-size:7.0pt;font-family:"Arial","sans-serif";colo= r:#00B050'>PLEASE CONSIDER THE ENVIRONMENT BEFORE YOU PRINT THIS E-MAIL

--_000_6BE4AAFB10DD834E8F60D36312048EAA01781649FED6PDCPXMB003a_-- --_004_6BE4AAFB10DD834E8F60D36312048EAA01781649FED6PDCPXMB003a_ Content-Type: image/gif; name="image001.gif" Content-Description: image001.gif Content-Disposition: inline; filename="image001.gif"; size=5851; creation-date="Wed, 09 Mar 2011 13:46:27 GMT"; modification-date="Wed, 09 Mar 2011 13:46:27 GMT" Content-ID: Content-Transfer-Encoding: base64 R0lGODlhAgFNAPcAAJnMZorKia/bq7HZkKzSWKbRYtLS1I3Y7/T8/dTmjMPDxfX56ijA2JbLWwCc 2unyxPX19uTx0JSVmHfS1M/ieKnNH/Hx8gCx3enp6vr885manbq6vbTURuv154XKkpvPc5bUtO3t 7oWGi8neW1G15HLHprKztQCr3YvIdKGippPZ1ZucoBO94IuMkCK+1dfszU+/sPz8/JGSllzEtgCk 26mqrbrVPLjo9OXl5vT68sXecmbH6WXFtNn0+qytsOfwtwa53mvGrEXCx0bF56SlqHrFiC234nzJ nPr6+rbRGLrXWdbppii8yzPF47zWNZbf7+Dg4s7pycHr9WvT6KrQRhi+3/j9/X3Z6LXi0fj4+KLN TRS63LS1uGnCmC/A07PTPNjrurHTTarUde75/Lnn6Mns6cbo1tfw6KDOW9zd3qTk87TRLLvUK7TS JLy9wPD22hSk3N/tvMzMzNjY2s3v9sXGx1nH6FnAp2vEorPTNdjt1pLLcfz9+anOOajl6w673wG2 3ubm58nlteH2+5LMfcPips7O0MnKzJLNhePurHHFmxWv3lrP5jK9xvr9+KbcyKHQa6zd813M1nPF lLnTJd7w27/bYJjOeUq/tiWo3urq6o6Pk9XV18jJyq/RPZXQlZLKYYHP7LPXeZaXm97e4Nra3L/W Mo3PooDJl8DflXLMv7Cws0HG2OD18/7+/J6for/Awhy/3p/PceLj47fVQnrHlMbHyfz+/uf2+xW7 1tfX2P///+z38hu81Keoq2HDrTjBz2HBoPz++7e4ugCQ1+7v73/GgNDQ0gq13lDCwPr6/Aeq3Ozs 7ejo6SG/3fn6+n1+g6/QL8HZRf39/Ofn6Nvc3eTk5fr5+vLy8/b29/v7+/Pz9Pf3+K+vs/T09Pv7 /Pn5+fb79/r6+dbx95/Rind4fPTz82zCjwyZ2rvgt/Dw8evr7CC7zQy61+Pj5en5+gqk3KzQLPn5 +HfHoNvb3RKP17+/wgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAAAAAAALAAAAAACAU0A AAj/AHcJHEiwoMGDCBMqXMiwocOHECNKnEixosWLGDNq3Mixo8ePIEOKHEmypMmTKFOqXMmypcuX MGPKnEmzps2bOHPq3Mmzp8+fQIMKHUq0qNGjSJMqXcq0qdOnUKNKnUq1qtWrWLNq3crV47csXcMW VUCEGVcrCMYgSHsrYrgOlfREifKiUocFwipmWPDmx49Eifw+eLPAFUVwYA9q4/at5zAJGChaI4WE 6LgpjKZImjLhAC+HHaJ8+hQAhWkUe2QNKBQhA0Q+b5ZQUGIjD6Xbt02ZopDgh2uI6kz4iFwQnC1f unpu0KBpojoZIqwN7dHkAqB2udixYzJhzMJwZk4V/zFmLEAAQuj37AEFCkCqCA0zPEilZE2FNnmc 6NfP5naSJGyMkMhvDc0hAjSHGLSOBOWsAg5PwzDXkDtybDOQN6sQsY5Qt1xxwR+xOMOAF8AA0wgZ CvHyyDlFeOABaQEgQsglNF4iCwCgQAKfQm9Q8EU80XxBiw1E7ueEbkeaQkkSlCSQV0OHrPBKN9kU dMwKKdRgAU/LNccQLJvgQBA43gw1SBOAsFBFLAyMaOIEViA0Bgjn1IKKBwHgeR56NMrygSyQgJKK OAi5EocSfXjCAS1DDlmkkUeyoVsSprzRkDbD+BCldANxY4IJtqzQTEHmMKPOQeKoY+o1Ak0jD0Lf sP9qkAUYbGlQNusUo01BEXopK0HaxCAQLDK4s8uuCMWgzjplHsSNquooY1AOmhQjrEg3AJKmmmwy YKIQZxwkzCNdKHLEEXd6UERpp4GS2p8AiEIgQa4sQYWiHHAgJAc2OLFGG2vc1gYlbEiqG8GJNOQN EcOso4EcBDGzwiGkSFDKQGmsssIoGphA3DdzDJPCChpo4Msxu0AwDCyVRbwKJwVBYA/JGqwyqkDq uPGKBiv4Ygiyu3S5CydcnDpQcPQUU8MKEhDhiy/N1eFGlQKV4sMKUg5DzUBZhDwyx74YcG0McqRQ cg2khITADhcA8ccfaorohReNqHDQGSUEM8886Lb/KEAUdsklgCh7APBBA6nkYNA09noSRhj55vtF HhzowFsCCVAwgjRsrHEwGz80tM4KsOxSg4MD6SJBIM1IkOAuSHDxCiydmCACEVtiszEXCnQCywot JGjCJlsT1EkL9BAUwwab2DOHLaMoIFAgr8iwgQGG1LDJMIkJrcAmGw4UyCa2mANLChKY4MYGxZi+ AgTHfp9CJwbYo8Eo1Qjk8ChcwGLLci2A2C7k0AIT6EIOK+ACN0BCByO0zW0scEaI5tYISbSiIFZ4 RDBKoAi+TQIE4SqII3gBhgHgaADzEggYtBAGAkAOcl/4goAWkAE+2NAVfMhAXyjghP6AriFQkIAB /3ZRBw2YZRfLS4E2zKGBDQgrBswaiAJakBx1jMINBFHHyLgBhRbUgSDZeNozCFKMJg6EGZHJBhFG AYWBKEMOm5Be0CRkCwl4SSDUkIAtkKgACcxiF43RRjdeAT8DiGADVNvFOlIwiua0jmVnJNmWnEao XVigGUDriIcA4TZANEENEhxRI4Bxg4LwQhW/CEIJjqCIU9zxIDkQBCgGsICCRIAAVHChC8PgCSX8 wDAL6REbkhA6hhhAAm0MYnJSlgIsasMXNVigQawhA0PsQh0aKB1BDiEDalyDCERo1i5mIQEBDiQE VzSIATYxxIKYYBQhmGNzoBc+POpRIAqQAaeONf/ILHgjBSmwEEFIsYnSLeiLBMmndFLgg2uJ5B1D sA4QgHCBKUAUCG0CBhOugACCjCMIqSwBB7HQkBcUQnEDWYAotECAlobhXqmo5UMSIY2EfWkU7ctC CoaxqzSM4mK7GMYKsDGQGFwSA8eo5jVHoc2BJNVYtthEGqQ4CqMNBAmr2MQhitEWgXBhBQIliC42 kRyhQe+VedzjLvq4T0Gm4BnUkIFaCQIBp4EjBBJA6EA6gcy1tsANGBhjSKSADOtoCxlq2MUTgNAt LwhhHARJwy9SGQQ8zKMMDnEEHwiyQgIUwKVUSEAKG0IYhmjDBCmQps6ICotXfGYXdbwZNUQG0BX/ sPOa2bSSH3fRDOsJJBuvGMZBmFGDFnTsj7uA5jQMQo1NQMwNdBxFPXeRVnzqcyCCfIU2SCEDmBUk BrKzQDEkIMe99tUbG2iBBHygC4d2hG3aAsQFmjCIXdAhFu1okxeY8ISu7qIMM/gFDypbgkpMZAFi YCkB0EAALegApR/ZRgpMMJBSyAAK2iAChQUyB7Luwh2jkIAbDDGHfFoTm00VyDH6uguNnaoaMkje QZAwBy5swsM1IIJ7BYIDGUDMrI0kSHXXKoG2diMFMYDCbQvyDROswBt4La9AOnFhgcRgFm4YhQjm ypFxOFC+8p2CQBDACCDIjR2SeMdAzDCDGQSh/7J4MMNEXoCGAhQADUpoqaVCgoG8Hm0FdVjHKFAm EAzIoA7f6MbqBhJXiKFYt8bahS6oGNQUtCwhzRjFK7zhBgm0ryCG2ET+oNscBeBUyPdcqwzEJBC3 KmMdMrDHrF5RAyiOQq9TlkDaCIINInTTI09YxgWsc4FFSGEgi2VBm5jghWML5AwzuAMPBhwMFYQj Io4YQAPs7FktLGEk3PWuQIQTpXp6YwXDQAKtCeIOHy81xbtYcRt3ce5hQGAFUk4ILCQQAne0IN8Q SMErFii0Q2xin7vos1r7WDx+piAb2vCBDIjjVBFATBPkLQiV5y3WTczhtxqxwhBoMOwLnIAR3v8R SA/wO0F2wEkgrVAFDGYw4Mpi4doP6YAY6sxtMew5JHJYNUE4wTEuODQGOc6CG1pwjJa129GjkDVB njoQe6RAASt45UCwUYebBTwFZRrGlh+0C2asgtJB1UBkxleDeOLx1gIh4BCRUAxwrIKQu4CCDF7B KSQcYxO+gF/r8s3XNtpi16eVwNbq4IupYuQGizhByZFxBYJYYQqACBEDmMAKyO4CAROY+bThDIIy +HchEQAAJCBhZy2kYrMi4YIGrIpbERB6II9hhjcknoJuoJbp1xQxqDfBcWqkQATDWK5B/imBVThZ BkD1xjA28QrhjGLQuJfAzeA4Ch84nwgi6IT/QIrxik2glgvguJpA07ACGdQAtZvwwaebm+86EH8X XHA/F1JAvl2A4xXQIHUXMQWSJ3kXUAU9UBA38DbO4AKb118CQQYzkAyjp0qWBQJR0AqOsBCCoHqs VwANAAYkMQecsGNzIAe2Ij6GcCrPUAoKsAErg4K7kAUGwHECoQmGQFQDwQUi8HEIwQydwAX903BI hGUmwAW2MF2kYADwMz11IIRc4AaHUE+a4AbdsAF/VA2ccGnYYAjDoD5z8CsQcAysJj7HkDteaAIb 4Hi7MAcbMF0U0QpGYIAncHLSQhBnAghVICK9gHICMQYqgAk0N2AiNQ+KMAmngIGVsIEGIQyF/5Aj rFdnO+IUw/AKOigWFHEAy1CHJrcMiYVBV5Ame+iApQRzqoAJdxAEhFgCezMJReA3lSBYAzENJgQo kFBnP8cUxRB1mFgRCGAHNMCJNGAE9WUQUvAHQLAmDJALV+BfMQcDMFBzrHgEfIMK42EMAtABymNC fyIGDSAK2ngQrvAA5FiO5PgD54iOuTgTU2SDvQgRUrAIwdiJoYAQEKWHe9gLrHBBA8ELKsADMJCK IrVK6OIiHlAeLwBM2ZYagPKN4XgQqYAvjOIojxIgD1ATMfApifGOEREKwViHJ7AIpXgQT8BJLBAi veAHGFQGjxAEd5CKezMPqJAu5IECUWBlAv+wB38iCw0gBjJ1EHGQKJ6QB0OZB3mwBmvABm3QBhWQ ALAnEzGgewQhD96gfByZEF5GAx9JA0OQcgdBB84gis6QC4zQURh0BlgAAkEQDF1QjbVgkOVhYMIw ADoJL2LwkAaRAZbgOPnCKDbgKPrRBiMwWjOhDYcwMt1AcVdpEGoADzSwDMEIDwegEGQGCHATC73A AM52EGOAliCgCOYyk3hykJ8gD7dQCCjwAaoJAAAwiQexBH3Ql35JJEWSBBRAmDIRVSZgDzXgg4tZ EGNAAg6glScwjHRwCwiAFsm5FtzQFmqADEDALblgN99xBiBwBHbiIp9QHnqwC4KwB5ewkw3/cJMJ kQERyQGeQAtCQptEQgmD6RDCEAiHMAzDsAFyoHUdsQ0rYALCAgEb+ZsDQQeZMJzBSAOLQAJDkKAK qqCJRR3bEgu5wArFyBBmgJ3pEgDGkA638AIoQCN/gjhPeRCwEQcPEAFvcCi0KQ22iZsFoQnD0zS+ 8AoSYD2X2BF59DoAahC3EAoEWpw+SpycWIdb4GyYBzdrkpIPYQa18JZ4go1vQQ7gqZp/gpcMkQEj kAe0KZgsOhCzMApehAGV8Qw4sHSv4HYdEQjllKMHgQvCSaAfGaQlBwgnMARddQNbsC1VsAWScHqU CQKTcCcY+gnekG0dGp4fAArf9hALYAl5/+AobXCbC1FGmxBpBcEJLeAL/9lqd4gQSHBpB7Eg1mQQ 3+CpitEYECEMvzIUUuAAblqcQGqAnfiJnxdRRroFDIAiDXEL6fCnTfoJ2igIKDAjNgIAsrCOCrGo jUok8QCpCuEGPZgQcmBxAgEOgSAHG2ACV1gKpNoMCrAKq1AHZopdnLAB6XMIChBpQIita5hJAgEF 9uB8CiAmFnAMR1RhjhcDpcAFq7ABnJCpPWEFbaqVWsmqBCuwxemHA/GcEFQF7TAFXrkQZnAOoukB p/AZHYAIhbqaA8CIVaoEQvIFNvCoW2pFPqAQ/5QChSQBEvAKKeBrh7SRxzQKNVADMqAB7v/4DLIn ARqwM0M0ByFWA1cjAlyQSFmQXqMAThIwChZAULfnf1kiEAb3CnenVEExDgNKA8PpAIuwA1zbtYyw A4xwBbhQEPcIN2qyBU/QEBk0CQVZBJ9QS8KQDsF6CanBmoXAscfKqBO5BsyKEGkAfM0qA4GwViJg AOrgDRDQDN1QuAJRDS0wHOCQDWmwsuIkEBagOgpgAeuQZJuQAlDgDeBQDPYgtA+yPMjXDNkAAe5Q B9hACi0QqgLxDE6zC5rQfeqABBYgB775EzxKsKwaCmsRvMLLpwKhsEaqbLKaEDkAAl2ALtYoACjV AZ9QqOF5IydVpZbwBYtCCyKrEKHGhgj/8b1rBU8EEQIyQGF1hbIEQQ9LRhB9JkDcQARGVBCw8Kz0 0ALw1rhCNCa+ULKz0L5IFBTBSQxZ6wBwQAcRMQaM8CF/sCa54AUQiBC3gAWWVY1FkA5xIhBRYBoe +gGsOQBUahALoAOKwijLuqUG544GEWoX00f1OoO992GbUAdZoA7FUAzbkEf5aw1pmndxZBDMwD9I ECGfVhBpIAPtNK1EULIhoAFEEK5BIQXo4LsOQAIP6xBSEAuWyS2ZOQXjgHMDYQW4QMF4MI1L2p0D 4QgCgBp0Kws3onrvsQB8AEwCkUNvoASyecIKMVbihhD59Ed9NF3ZEMOcsAlSgjWHvAlY/1QQPCxA oba7ApEFRFADENC/CAFjSex/lhxvNbuGZAcUO0DAvhsJFBGK0akmDOACLuAFE+AHZUAHZYAFj4BK qjSN5wACECYQ4bDGOhmekCALIIgGOpAKSxAHcZAIS1AIqQA5kUMLyxqizLUJG6AQWbA07RPIYBTD hqBHaTAH3qwL3qyYPOZuAyRVBoEEvhBOvtANfovE/FuyPLYcm7AKtMcTuJAJosyqmeB5EoEAU9A2 3NImm9cIQiAEmACNNEdgJdC8IVQQOVAIe5Caf/LLrNcAaKAFWkAFGU0Fsfk4i8IB0dC3B5F+E5cQ rjvN4yvIMdxhQMUQjSwQhdy0AmEOK//gA1ngAymQqgNBD931zgWxDXWAfHTME5GQzw5ADDuQwRMx BpsEInJDIgWdDMnQZhUYDHGWEOGQDpeAGhO9emLwWQvWQmIdOflSATqwpXnXAkSQSOWrATIQPnUg ASrNzuPFzg3x0ruAVzUgiwIxaXtEQMtkxJsAu7Czye40CjW6E23KqsSADqRsEQjwBM4A0G3SBMBQ 0JIg1ZJAcy9ZAnK2EHqQk+zhxh/IbS71OI/jCdEQD3nglAxxCCLguQ6FBKWgAWhHRNKVzauATyJg Dw7FDaRQz7uA10QkApA0PTJQVfRWfjbYDLywIKlFED5QstgABWSHdCvADddwDIbQhDj/EQn1QAzi Ld47YJYXQQdTEAsTlR10E9WYcNAwEASPwI8MkQMvkAqHCgoWfWct1WC4xNGJEgYJ8AB4qxBJ1QI1 4AZSQwTGtbvOqpjZMAq+sCtZYDtEUAdyoABmA4cfJgJ69Qxi5wu2YK0tUGXTowEi0A110AmrIAEf 1wki8AoKYAgZDni85cSGYAjdEEAdDg3gaxORQAJCLuShMLYhRwdPwAjAkMpMwASNgAnJIAmqgAVn oNQOkQMRIAipIAq3iAYXzVJUoAQFoAPFLMcRsQ5ksTE9YwtFDNMmQHvPsAFzBQ7H4As8MyUlCMQm kD8DIQ51jjWvsAFaJ7qM5MT2QFTauMAJMQroPgM7ZUMyRCAHY1QMvpACHE4T3DAGmq7pxJsRYzAO UnADfuAHZEAGdNAKY9DpD7EXERABLwAGxhwHrU5DT0IREIABzcAMbI1d/goOpHrrgcAM/so17LoL 2YABgSDcW0cN1JDYWbAO1NAM62AODuUNzUANKUhv5qCm3N7t3v7t4B7u4j7u5F7u5n7u6J7u6r7u 7N7u7v7u8B7v8j7v9F7v9n7v+J7v+r7v/N7v/v7vAJ8QAQEAOw== --_004_6BE4AAFB10DD834E8F60D36312048EAA01781649FED6PDCPXMB003a_-- --===============8076917016163097742== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============8076917016163097742==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: auditd log files Date: Wed, 9 Mar 2011 07:52:28 -0500 Message-ID: <201103090752.29214.sgrubb@redhat.com> References: <6BE4AAFB10DD834E8F60D36312048EAA01781649FED6@PDCPXMB003.asggroup.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <6BE4AAFB10DD834E8F60D36312048EAA01781649FED6@PDCPXMB003.asggroup.com.au> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Wednesday, March 09, 2011 12:46:26 am Brian Ross wrote: > I would like to know how I can read the auditd log files stored in > /var/log/audit.d. Ausearch is the utility that is meant to display the individual records. However, I would start any investigation with aureport --start today --summary and then see what category is having the most events. Each category has its own report. Each report has 2 modes, summary and all events. I use the summary to get an idea and then move to ausearch when I need to. I have some notes on doing an investigation in the audit.rules man page. Also, The audit daemon is recommended to have /var/log/audit as its own partition to prevent problems like you are seeing. It also makes the audit daemon's operation better because it calculates the amount of space left for the actions programmed in for space_left_action and disk_full_action. > I have a problem where the auditd system seems to go haywire, fills the > /var filesystem up to its maximum allowed 80% and then starts to try and > delete the old log files but the /var filesystem keeps filling up, at > which point it ceases execution and then I have SysEdge reporting a > massive CPU load and the whole server locks up. > > I believe the auditd system's behavior is symptomatic, rather than the > cause of the problem. I note that the auditd log files are in some > binary format. Is there a means to read them? They are text records with an occasional field in a special encoding to prevent log injection attacks. -Steve