From mboxrd@z Thu Jan 1 00:00:00 1970 From: John Jasen Subject: Re: Auditd syslog plugin Date: Mon, 4 Jun 2018 19:32:51 -0400 Message-ID: <4a7bb53d-d76e-db82-b36d-50b693753afc@gmail.com> References: <4f9940d24abf490689b29c52280cdf9e@XCGVAG30.northgrum.com> <2348690.m2sBkKRHdC@x2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx15.extmail.prod.ext.phx2.redhat.com [10.5.110.44]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 244B345DB for ; Mon, 4 Jun 2018 23:33:06 +0000 (UTC) Received: from mail-qt0-f177.google.com (mail-qt0-f177.google.com [209.85.216.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 3997B30BDEFA for ; Mon, 4 Jun 2018 23:32:55 +0000 (UTC) Received: by mail-qt0-f177.google.com with SMTP id q13-v6so530733qtp.4 for ; Mon, 04 Jun 2018 16:32:55 -0700 (PDT) Received: from [192.168.1.11] (pool-173-69-196-172.bltmmd.fios.verizon.net. [173.69.196.172]) by smtp.googlemail.com with ESMTPSA id h23-v6sm7429105qtn.79.2018.06.04.16.32.52 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 04 Jun 2018 16:32:52 -0700 (PDT) In-Reply-To: <2348690.m2sBkKRHdC@x2> Content-Language: en-US List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com If you're on a system using rsyslog, you can also leverage imfile and send it directly to a remote logserver. rsyslog event queuing also handles interruptions in remote logging more gracefully than audispd syslog. On 06/04/2018 06:11 PM, Steve Grubb wrote: > On Monday, June 4, 2018 9:02:04 AM EDT Boyce, Kevin P [US] (AS) wrote: >> All, >> >> After enabling the syslog plugin for audispd and sending logs to a remote >> server I am seeing every event being written to /var/log/messages locally >> which is filling up /var. >> >> This is all redundant since local audit logs are kept in /var/log/audit. >> Is there a way to prevent auditd syslog plugin from writing to >> /var/log/messages? > That is pretty much what the plugin does. It writes all events to syslog > which based on rules in /etc/rsyslog.conf decides what to do with the text. > Typically it is to write everything to /var/log/messages. > > However, you can assign a specific facility to the audit events in the /etc/ > audisp/plugins.d/syslog.conf file and then in rsyslog.conf exclude the > facility by putting .none on the /var/log/messages line. > > -Steve > > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit