* RHEL7 audispd syslog journal question
@ 2019-06-11 12:14 Boyce, Kevin P [US] (AS)
2019-06-11 12:44 ` Steve Grubb
0 siblings, 1 reply; 2+ messages in thread
From: Boyce, Kevin P [US] (AS) @ 2019-06-11 12:14 UTC (permalink / raw)
To: linux-audit@redhat.com
[-- Attachment #1.1: Type: text/plain, Size: 652 bytes --]
Does anyone have any ideas how to prevent the journal from filling up with events that come from audispd?
There is a double penalty due to this and it really slows down my system with a lot of rules in place.
I have audispd syslog plugin enabled to send remotely as LOG_LOCAL5.
Auditd is also writing output to /var/log/audit/audit.log.
If you do journalctl -u auditd you also see copies of the syslog events. Is there any way to prevent this behavior?
I did find this RedHat page but it doesn't really sound like a good solution, having to modify selinux policy.
https://bugzilla.redhat.com/show_bug.cgi?id=1419388
Thanks,
Kevin
[-- Attachment #1.2: Type: text/html, Size: 2925 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: RHEL7 audispd syslog journal question
2019-06-11 12:14 RHEL7 audispd syslog journal question Boyce, Kevin P [US] (AS)
@ 2019-06-11 12:44 ` Steve Grubb
0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2019-06-11 12:44 UTC (permalink / raw)
To: linux-audit
On Tuesday, June 11, 2019 8:14:30 AM EDT Boyce, Kevin P [US] (AS) wrote:
> Does anyone have any ideas how to prevent the journal from filling up with
> events that come from audispd?
On RHEL 7, there is no systemd-journald-audit.socket. So, if you are wrapping
events to syslog, then that is how it gets filled. In general, systems that
hae the systemd-journald-audit.socket can just mask it to prevent that path.
systemctl mask systemd-journald-audit.socket
> There is a double penalty due to this and it really slows down my system
> with a lot of rules in place.
Might also want to limit log size:
sed -i "/^#SystemMaxUse/s/#SystemMaxUse=/SystemMaxUse=200/" /etc/systemd/
journald.conf
> I have audispd syslog plugin enabled to send remotely as LOG_LOCAL5.
> Auditd is also writing output to /var/log/audit/audit.log.
If you wanted to restore your system to something that resembles normal
systems, then you can do something along these lines:
## Disable journald
systemctl mask systemd-journald.service
systemctl mask systemd-journald-dev-log.socket
systemctl mask systemd-journald.socket
systemctl mask systemd-journal-flush.service
systemctl mask systemd-journal-catalog-update.service
systemctl mask syslog.socket
## Enable rsyslog to handle logging
sed -i "/SysSock.Use/s/off/on/" /etc/rsyslog.conf
sed -i "/imjournal/s/module/#module/" /etc/rsyslog.conf
sed -i "/StateFile/s/^/#/" /etc/rsyslog.conf
sed -i "/imklog/s/#module/module/" /etc/rsyslog.conf
I tested this on recent Fedora. So, there may be some differences between F29
and RHEL 7. But this should be enough that you can experiment to finish it off.
After this, syslog is actually usable like it used to be.
-Steve
> If you do journalctl -u auditd you also see copies of the syslog events.
> Is there any way to prevent this behavior? I did find this RedHat page but
> it doesn't really sound like a good solution, having to modify selinux
> policy. https://bugzilla.redhat.com/show_bug.cgi?id=1419388
>
> Thanks,
> Kevin
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-06-11 12:44 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-06-11 12:14 RHEL7 audispd syslog journal question Boyce, Kevin P [US] (AS)
2019-06-11 12:44 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox