<div dir="ltr"><div>Hi</div><div><br></div><div>My name is Takehara liveng in japan.</div><div><br></div><div>Now I set up audit.rules, then audit.log became very big.</div><div>The reason why is keepalived daemon and it's misc check shell adds some entry every seconds.</div><div>I want to suppress or exclude log entry, and I searched the way like this.</div><div> => <a href="https://www.redhat.com/archives/linux-audit/2011-October/msg00000.html">https://www.redhat.com/archives/linux-audit/2011-October/msg00000.html</a><br></div><div>but I could not get effective answer.</div><div><br></div><div><div>Could you please tell me someone an effective way?<br></div></div><div><br></div><div><br></div><div>This is the audit.rules below.</div><div><br></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"># First rule - delete all<br>-D<br># Increase the buffers to survive stress events.<br># Make this bigger for busy systems<br>-b 320<br># Feel free to add below this line. See auditctl man page<br>-a exit,always -F arch=b64 -F dir=/etc -F success=0 -S open -S truncate<br>-a exit,always -F arch=b64 -S open -F uid=10<br>-a exit,always -F arch=b64 -S open -F auid>=500 -F perm=wa<br>-a exit,never -F arch=x86_64 -S all -F path=/root/mysql_status_check.sh<br>-a never,exit -F arch=b32 -S open -S openat -F exit=-ENOENT<br>-a never,exit -F arch=b64 -S open -S openat -F exit=-ENOENT<br>-w /etc/sudoers -p wa -k sudoers-change<br>-w /etc/ -p wa<br>-w /var/lib/mysql -p wa</blockquote></div><div><br></div><div><br></div><div>- keepalived is checking every seconds.</div><div> /usr/sbin/keepalived</div><div>- misc check program</div><div> /root/mysql_status_check.sh</div><div>
<p class="">type=SYSCALL msg=audit(1427989933.878:3632254): arch=c000003e syscall=2 success=yes exit=0 a0=4378a2 a1=2 a2=9 a3=8 items=1 ppid=43118 pid=3379 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="keepalived" exe="/usr/sbin/keepalived" key=(null)</p><p class="">type=SYSCALL msg=audit(1427918414.323:2598129): arch=c000003e syscall=2 success=no exit=-6 a0=4a3155 a1=802 a2=1 a3=7fff4aefd1a0 items=1 ppid=20915 pid=20917 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="mysql_status_ch" exe="/bin/bash" key=(null)</p></div><div><div>type=SYSCALL msg=audit(1427918414.341:2598135): arch=c000003e syscall=2 success=yes exit=3 a0=f14470 a1=241 a2=1b6 a3=76 items=2 ppid=20916 pid=20947 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="mysql_status_ch" exe="/bin/bash" key=(null)</div></div><div><br></div><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div>=========================</div><div>Cloud ASIA Co., Ltd. [ 株式会社クラウドエイジア ]</div><div>Founder & CEO Takehara Toshihiro</div><div><br></div><div><div> 〒174-0073</div><div> 33-14-101, Higashiyama-cho, Itabashi-ku, Tokyo, Japan</div></div><div> TEL: +81-3-6869-2994 FAX: +81-3-6869-3974</div><div> Mobile: +81-90-4737-8137<br></div> Mobile in Laos: +856-20-5912-2188<div><span style="color:rgb(40,44,51);font-family:MSPゴシック,Osaka,'\0030d2\0030e9\0030ae\0030ce\0089d2\0030b4Pro W3',sans-serif;font-size:12px;background-color:rgb(247,249,252)"> </span><a href="http://www.cloud-asia.co.jp" target="_blank">http://www.cloud-asia.co.jp</a><br></div><div> <a href="http://www.facebook.com/cloud.asia.japan" target="_blank">http://www.facebook.com/cloud.asia.japan</a></div><div> <a href="mailto:takehara@cloud-asia.co.jp" style="color:rgb(17,85,204)" target="_blank">takehara@cloud-asia.co.jp</a></div><div><br></div><div>Lao Systems [ ラオシステムズ ]</div><div><div> Founder & CEO Takehara Toshihiro</div></div><div> <a href="http://lao-systems.jp/" target="_blank">http://lao-systems.jp/</a></div><div><div>=========================<br></div></div><div><br></div></div></div></div>
</div>