Suppressing logs with kernel.printk
Richard Guy Briggs
rgb at redhat.com
Tue Jan 21 15:12:35 UTC 2014
On 14/01/21, Aaron Lewis wrote:
> Sorry I mean, kauditd.
>
> I already killed the auditd daemon, only kernel thread is running
>
> On Tue, Jan 21, 2014 at 3:59 PM, Aaron Lewis <the.warl0ck.1989 at gmail.com> wrote:
> > Hi,
> >
> > I'm trying to suppress logs from auditd with sysctl options,
> >
> > So I set kernel.printk to 4 4 4 4
> >
> > And modified KLOGD_OPTIONS to "-x -c 4"
> >
> > Then I restarted syslogd and klogd
> >
> > But I still see auditd logs piling up, anything wrong? auditd is using
> > kenrel.notice for sure
It'll be hard to seperate the kaudit messages in syslog because it will
come through as a kernel type (as opposed to any other type syslog knows
how to filter), unless you can filter on "kernel: audit: ", since audit:
is a "subtype" of kernel.
> > Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/
> Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/
- RGB
--
Richard Guy Briggs <rbriggs at redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
More information about the Linux-audit
mailing list