From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: RHEL7 audispd syslog journal question
Date: Tue, 11 Jun 2019 08:44:30 -0400 [thread overview]
Message-ID: <4611954.16RxT8IaCd@x2> (raw)
In-Reply-To: <07fef14388544a36828818d3e0691f3c@XCGVAG30.northgrum.com>
On Tuesday, June 11, 2019 8:14:30 AM EDT Boyce, Kevin P [US] (AS) wrote:
> Does anyone have any ideas how to prevent the journal from filling up with
> events that come from audispd?
On RHEL 7, there is no systemd-journald-audit.socket. So, if you are wrapping
events to syslog, then that is how it gets filled. In general, systems that
hae the systemd-journald-audit.socket can just mask it to prevent that path.
systemctl mask systemd-journald-audit.socket
> There is a double penalty due to this and it really slows down my system
> with a lot of rules in place.
Might also want to limit log size:
sed -i "/^#SystemMaxUse/s/#SystemMaxUse=/SystemMaxUse=200/" /etc/systemd/
journald.conf
> I have audispd syslog plugin enabled to send remotely as LOG_LOCAL5.
> Auditd is also writing output to /var/log/audit/audit.log.
If you wanted to restore your system to something that resembles normal
systems, then you can do something along these lines:
## Disable journald
systemctl mask systemd-journald.service
systemctl mask systemd-journald-dev-log.socket
systemctl mask systemd-journald.socket
systemctl mask systemd-journal-flush.service
systemctl mask systemd-journal-catalog-update.service
systemctl mask syslog.socket
## Enable rsyslog to handle logging
sed -i "/SysSock.Use/s/off/on/" /etc/rsyslog.conf
sed -i "/imjournal/s/module/#module/" /etc/rsyslog.conf
sed -i "/StateFile/s/^/#/" /etc/rsyslog.conf
sed -i "/imklog/s/#module/module/" /etc/rsyslog.conf
I tested this on recent Fedora. So, there may be some differences between F29
and RHEL 7. But this should be enough that you can experiment to finish it off.
After this, syslog is actually usable like it used to be.
-Steve
> If you do journalctl -u auditd you also see copies of the syslog events.
> Is there any way to prevent this behavior? I did find this RedHat page but
> it doesn't really sound like a good solution, having to modify selinux
> policy. https://bugzilla.redhat.com/show_bug.cgi?id=1419388
>
> Thanks,
> Kevin
prev parent reply other threads:[~2019-06-11 12:44 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-11 12:14 RHEL7 audispd syslog journal question Boyce, Kevin P [US] (AS)
2019-06-11 12:44 ` Steve Grubb [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4611954.16RxT8IaCd@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox