Suppressing logs with kernel.printk
Aaron Lewis
the.warl0ck.1989 at gmail.com
Tue Jan 21 23:47:09 UTC 2014
Hmm I mean, I checked the source code,
When audit queue is full, it uses printk + NOTICE, so I think I could
just drop every log that is >= kern.notice
On Tue, Jan 21, 2014 at 11:12 PM, Richard Guy Briggs <rgb at redhat.com> wrote:
> On 14/01/21, Aaron Lewis wrote:
>> Sorry I mean, kauditd.
>>
>> I already killed the auditd daemon, only kernel thread is running
>>
>> On Tue, Jan 21, 2014 at 3:59 PM, Aaron Lewis <the.warl0ck.1989 at gmail.com> wrote:
>> > Hi,
>> >
>> > I'm trying to suppress logs from auditd with sysctl options,
>> >
>> > So I set kernel.printk to 4 4 4 4
>> >
>> > And modified KLOGD_OPTIONS to "-x -c 4"
>> >
>> > Then I restarted syslogd and klogd
>> >
>> > But I still see auditd logs piling up, anything wrong? auditd is using
>> > kenrel.notice for sure
>
> It'll be hard to seperate the kaudit messages in syslog because it will
> come through as a kernel type (as opposed to any other type syslog knows
> how to filter), unless you can filter on "kernel: audit: ", since audit:
> is a "subtype" of kernel.
>
>> > Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/
>
>> Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/
>
> - RGB
>
> --
> Richard Guy Briggs <rbriggs at redhat.com>
> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
--
Best Regards,
Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/
Finger Print: 9F67 391B B770 8FF6 99DC D92D 87F6 2602 1371 4D33
More information about the Linux-audit
mailing list