From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Boyce, Kevin P [US] (AS)" <Kevin.Boyce@ngc.com>
Subject: Auditd syslog plugin
Date: Mon, 4 Jun 2018 13:02:04 +0000
Message-ID: <4f9940d24abf490689b29c52280cdf9e@XCGVAG30.northgrum.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6509120774413845385=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx05.extmail.prod.ext.phx2.redhat.com
	[10.5.110.29])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 8A15A5D9CA
	for <linux-audit@redhat.com>; Mon,  4 Jun 2018 13:02:14 +0000 (UTC)
Received: from xspv0103.northgrum.com (xspv0103.northgrum.com [134.223.120.78])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 311D4347A45
	for <linux-audit@redhat.com>; Mon,  4 Jun 2018 13:02:12 +0000 (UTC)
Content-Language: en-US
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: "linux-audit@redhat.com" <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

--===============6509120774413845385==
Content-Language: en-US
Content-Type: multipart/alternative;
	boundary="_000_4f9940d24abf490689b29c52280cdf9eXCGVAG30northgrumcom_"

--_000_4f9940d24abf490689b29c52280cdf9eXCGVAG30northgrumcom_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

All,

After enabling the syslog plugin for audispd and sending logs to a remote s=
erver I am seeing every event being written to /var/log/messages locally wh=
ich is filling up /var.

This is all redundant since local audit logs are kept in /var/log/audit.  I=
s there a way to prevent auditd syslog plugin from writing to /var/log/mess=
ages?

Thanks,
Kevin

--_000_4f9940d24abf490689b29c52280cdf9eXCGVAG30northgrumcom_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:#0563C1;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:#954F72;
	text-decoration:underline;}
span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:"Calibri",sans-serif;
	color:windowtext;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-family:"Calibri",sans-serif;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"EN-US" link=3D"#0563C1" vlink=3D"#954F72">
<div class=3D"WordSection1">
<p class=3D"MsoNormal">All,<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">After enabling the syslog plugin for audispd and sen=
ding logs to a remote server I am seeing every event being written to /var/=
log/messages locally which is filling up /var.&nbsp;
<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">This is all redundant since local audit logs are kep=
t in /var/log/audit.&nbsp; Is there a way to prevent auditd syslog plugin f=
rom writing to /var/log/messages?<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">Thanks,<o:p></o:p></p>
<p class=3D"MsoNormal">Kevin<o:p></o:p></p>
</div>
</body>
</html>

--_000_4f9940d24abf490689b29c52280cdf9eXCGVAG30northgrumcom_--


--===============6509120774413845385==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============6509120774413845385==--

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Auditd syslog plugin
Date: Mon, 04 Jun 2018 18:11:01 -0400
Message-ID: <2348690.m2sBkKRHdC@x2>
References: <4f9940d24abf490689b29c52280cdf9e@XCGVAG30.northgrum.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <4f9940d24abf490689b29c52280cdf9e@XCGVAG30.northgrum.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Monday, June 4, 2018 9:02:04 AM EDT Boyce, Kevin P [US] (AS) wrote:
> All,
> 
> After enabling the syslog plugin for audispd and sending logs to a remote
> server I am seeing every event being written to /var/log/messages locally
> which is filling up /var.
> 
> This is all redundant since local audit logs are kept in /var/log/audit. 
> Is there a way to prevent auditd syslog plugin from writing to
> /var/log/messages?

That is pretty much what the plugin does. It writes all events to syslog 
which based on rules in /etc/rsyslog.conf decides what to do with the text. 
Typically it is to write everything to /var/log/messages.

However, you can assign a specific facility to the audit events in the /etc/
audisp/plugins.d/syslog.conf file and then in rsyslog.conf exclude the 
facility by putting <facility>.none on the /var/log/messages line.

-Steve

From mboxrd@z Thu Jan  1 00:00:00 1970
From: John Jasen <jjasen@gmail.com>
Subject: Re: Auditd syslog plugin
Date: Mon, 4 Jun 2018 19:32:51 -0400
Message-ID: <4a7bb53d-d76e-db82-b36d-50b693753afc@gmail.com>
References: <4f9940d24abf490689b29c52280cdf9e@XCGVAG30.northgrum.com>
	<2348690.m2sBkKRHdC@x2>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx15.extmail.prod.ext.phx2.redhat.com
	[10.5.110.44])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 244B345DB
	for <linux-audit@redhat.com>; Mon,  4 Jun 2018 23:33:06 +0000 (UTC)
Received: from mail-qt0-f177.google.com (mail-qt0-f177.google.com
	[209.85.216.177])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 3997B30BDEFA
	for <linux-audit@redhat.com>; Mon,  4 Jun 2018 23:32:55 +0000 (UTC)
Received: by mail-qt0-f177.google.com with SMTP id q13-v6so530733qtp.4
	for <linux-audit@redhat.com>; Mon, 04 Jun 2018 16:32:55 -0700 (PDT)
Received: from [192.168.1.11] (pool-173-69-196-172.bltmmd.fios.verizon.net.
	[173.69.196.172]) by smtp.googlemail.com with ESMTPSA id
	h23-v6sm7429105qtn.79.2018.06.04.16.32.52
	for <linux-audit@redhat.com>
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Mon, 04 Jun 2018 16:32:52 -0700 (PDT)
In-Reply-To: <2348690.m2sBkKRHdC@x2>
Content-Language: en-US
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

If you're on a system using rsyslog, you can also leverage imfile and
send it directly to a remote logserver.

rsyslog event queuing also handles interruptions in remote logging more
gracefully than audispd syslog.



On 06/04/2018 06:11 PM, Steve Grubb wrote:
> On Monday, June 4, 2018 9:02:04 AM EDT Boyce, Kevin P [US] (AS) wrote:
>> All,
>>
>> After enabling the syslog plugin for audispd and sending logs to a remote
>> server I am seeing every event being written to /var/log/messages locally
>> which is filling up /var.
>>
>> This is all redundant since local audit logs are kept in /var/log/audit. 
>> Is there a way to prevent auditd syslog plugin from writing to
>> /var/log/messages?
> That is pretty much what the plugin does. It writes all events to syslog 
> which based on rules in /etc/rsyslog.conf decides what to do with the text. 
> Typically it is to write everything to /var/log/messages.
>
> However, you can assign a specific facility to the audit events in the /etc/
> audisp/plugins.d/syslog.conf file and then in rsyslog.conf exclude the 
> facility by putting <facility>.none on the /var/log/messages line.
>
> -Steve
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit