* sending audit logs only to audit.log via rsyslog
@ 2023-05-10 13:43 kathy lyons
2023-05-10 13:51 ` Steve Grubb
0 siblings, 1 reply; 4+ messages in thread
From: kathy lyons @ 2023-05-10 13:43 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 923 bytes --]
Good morning. I am trying to get the audit logs to be written only to
audit.log. Currently they are written to audit.log as well as syslog.
Here is my rsyslog.conf file - what am I doing wrong?
module(load="imfile")
module(load="imklog")
module(load="imjournal")
global(net.enableDNS="off" workDirectory=/var/spool/rsyslog"
maxMessageSize="128k")
$IncludeConfig /etc/rsyslog.d/*.conf
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
##################### rules
audit.* ~/var/log/audit/audit.log
auth.warning;authpriv.info ~/var/log/auth.log
*.*;auth,authpriv.none ~/var/log/syslog
cron.info ~/var/log/cron.log
daemon.info ~/var/log/daemon.log
kern.* ~/var/log/kern.log
user.info ~/var/log/user.log
[-- Attachment #1.2: Type: text/html, Size: 1545 bytes --]
[-- Attachment #2: Type: text/plain, Size: 107 bytes --]
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: sending audit logs only to audit.log via rsyslog
2023-05-10 13:43 sending audit logs only to audit.log via rsyslog kathy lyons
@ 2023-05-10 13:51 ` Steve Grubb
2023-05-10 15:51 ` kathy lyons
0 siblings, 1 reply; 4+ messages in thread
From: Steve Grubb @ 2023-05-10 13:51 UTC (permalink / raw)
To: linux-audit
On Wednesday, May 10, 2023 9:43:04 AM EDT kathy lyons wrote:
> Good morning. I am trying to get the audit logs to be written only to
> audit.log. Currently they are written to audit.log as well as syslog.
> Here is my rsyslog.conf file - what am I doing wrong?
>
> module(load="imfile")
> module(load="imklog")
> module(load="imjournal")
>
> global(net.enableDNS="off" workDirectory=/var/spool/rsyslog"
> maxMessageSize="128k")
>
> $IncludeConfig /etc/rsyslog.d/*.conf
> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>
> ##################### rules
> audit.* ~/var/log/audit/audit.log
> auth.warning;authpriv.info ~/var/log/auth.log
> *.*;auth,authpriv.none ~/var/log/syslog
> cron.info ~/var/log/cron.log
> daemon.info ~/var/log/daemon.log
> kern.* ~/var/log/kern.log
> user.info ~/var/log/user.log
The thing that is writing them to rsyslog is systemd-journald. You can stop
this by running:
systemctl mask systemd-journald-audit.socket
systemctl stop systemd-journald-audit.socket
Then you will only have logs written to the audit log.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: sending audit logs only to audit.log via rsyslog
2023-05-10 13:51 ` Steve Grubb
@ 2023-05-10 15:51 ` kathy lyons
2023-05-10 16:11 ` Steve Grubb
0 siblings, 1 reply; 4+ messages in thread
From: kathy lyons @ 2023-05-10 15:51 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 1591 bytes --]
Great - so I don't need the line below in my rsyslog.conf file?
audit.* ~/var/log/audit/audit.log
On Wed, May 10, 2023 at 9:51 AM Steve Grubb <sgrubb@redhat.com> wrote:
> On Wednesday, May 10, 2023 9:43:04 AM EDT kathy lyons wrote:
> > Good morning. I am trying to get the audit logs to be written only to
> > audit.log. Currently they are written to audit.log as well as syslog.
> > Here is my rsyslog.conf file - what am I doing wrong?
> >
> > module(load="imfile")
> > module(load="imklog")
> > module(load="imjournal")
> >
> > global(net.enableDNS="off" workDirectory=/var/spool/rsyslog"
> > maxMessageSize="128k")
> >
> > $IncludeConfig /etc/rsyslog.d/*.conf
> > $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
> >
> > ##################### rules
> > audit.* ~/var/log/audit/audit.log
> > auth.warning;authpriv.info ~/var/log/auth.log
> > *.*;auth,authpriv.none ~/var/log/syslog
> > cron.info ~/var/log/cron.log
> > daemon.info ~/var/log/daemon.log
> > kern.* ~/var/log/kern.log
> > user.info ~/var/log/user.log
>
> The thing that is writing them to rsyslog is systemd-journald. You can
> stop
> this by running:
>
> systemctl mask systemd-journald-audit.socket
> systemctl stop systemd-journald-audit.socket
>
> Then you will only have logs written to the audit log.
>
> -Steve
>
>
>
[-- Attachment #1.2: Type: text/html, Size: 2502 bytes --]
[-- Attachment #2: Type: text/plain, Size: 107 bytes --]
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: sending audit logs only to audit.log via rsyslog
2023-05-10 15:51 ` kathy lyons
@ 2023-05-10 16:11 ` Steve Grubb
0 siblings, 0 replies; 4+ messages in thread
From: Steve Grubb @ 2023-05-10 16:11 UTC (permalink / raw)
To: kathy lyons; +Cc: linux-audit
On Wednesday, May 10, 2023 11:51:04 AM EDT kathy lyons wrote:
> Great - so I don't need the line below in my rsyslog.conf file?
>
> audit.* ~/var/log/audit/audit.log
No that's not needed. The whole problem is caused by journald. It connects to
a best effort multicast socket to get audit events. It then writes them to
rsyslog in addition to the journal. Meanwhile, auditd connects to the real
netlink interface and grabs events from the kernel and writes them to disk
itself. No one needs 3 separate audit logs.
After masking journald's audit socket, all need to do is have the audit
daemon enabled. Then everything should work out. And you should find that
audit events written by auditd have slightly better information.
-Steve
> On Wed, May 10, 2023 at 9:51 AM Steve Grubb <sgrubb@redhat.com> wrote:
> > On Wednesday, May 10, 2023 9:43:04 AM EDT kathy lyons wrote:
> > > Good morning. I am trying to get the audit logs to be written only to
> > >
> > > audit.log. Currently they are written to audit.log as well as syslog.
> > > Here is my rsyslog.conf file - what am I doing wrong?
> > >
> > > module(load="imfile")
> > > module(load="imklog")
> > > module(load="imjournal")
> > >
> > > global(net.enableDNS="off" workDirectory=/var/spool/rsyslog"
> > >
> > > maxMessageSize="128k")
> > >
> > > $IncludeConfig /etc/rsyslog.d/*.conf
> > > $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
> > >
> > > ##################### rules
> > >
> > > audit.* ~/var/log/audit/audit.log
> > > auth.warning;authpriv.info ~/var/log/auth.log
> > > *.*;auth,authpriv.none ~/var/log/syslog
> > > cron.info ~/var/log/cron.log
> > > daemon.info ~/var/log/daemon.log
> > > kern.* ~/var/log/kern.log
> > > user.info ~/var/log/user.log
> >
> > The thing that is writing them to rsyslog is systemd-journald. You can
> > stop
> > this by running:
> >
> > systemctl mask systemd-journald-audit.socket
> > systemctl stop systemd-journald-audit.socket
> >
> > Then you will only have logs written to the audit log.
> >
> > -Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-05-10 16:11 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-05-10 13:43 sending audit logs only to audit.log via rsyslog kathy lyons
2023-05-10 13:51 ` Steve Grubb
2023-05-10 15:51 ` kathy lyons
2023-05-10 16:11 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).