Audit not taking rules
Steve Grubb
sgrubb at redhat.com
Thu Jul 3 11:49:07 UTC 2008
On Wednesday 02 July 2008 18:44:49 Bo wrote:
> I have RHEL 4 install (update 5).
>
> [root at master ~]# service auditd restart
> Stopping auditd: [ OK ]
> Starting auditd: [ OK ]
> Error sending watch insert request (Invalid argument)
> There was an error in line 26 of /etc/audit.rules
What is in line 26 of the rules?
> Can anyone point me to a solution?
> audit version 1.0.15
> kernel 2.6.22.5
This is not a RHEL4 kernel. You need to use RHEL4's kernel with the RHEL4 user
space audit tools. This is undoubtedly the problem. The audit system evolved
over time and some things were deprecated and some things were added. The
user space tools hide this as long as you use the right ones.
-Steve
More information about the Linux-audit
mailing list