Suppress or exclude messages from /var/log/audit.log via audit.rules

[Cloud ASIA] Toshihiro Takehara takehara at cloud-asia.co.jp
Fri Apr 3 15:23:56 UTC 2015 

Hi

My name is Takehara liveng in japan.

Now I set up audit.rules, then audit.log became very big.
The reason why is keepalived daemon and it's misc check shell adds some
entry every seconds.
I want to suppress or exclude log entry, and I searched the way like this.
  => https://www.redhat.com/archives/linux-audit/2011-October/msg00000.html
but I could not get effective answer.

Could you please tell me someone an effective way?


This is the audit.rules below.

# First rule - delete all
> -D
> # Increase the buffers to survive stress events.
> # Make this bigger for busy systems
> -b 320
> # Feel free to add below this line. See auditctl man page
> -a exit,always -F arch=b64 -F dir=/etc -F success=0 -S open -S truncate
> -a exit,always -F arch=b64 -S open -F uid=10
> -a exit,always -F arch=b64 -S open -F auid>=500 -F perm=wa
> -a exit,never -F arch=x86_64 -S all -F path=/root/mysql_status_check.sh
> -a never,exit -F arch=b32 -S open -S openat -F exit=-ENOENT
> -a never,exit -F arch=b64 -S open -S openat -F exit=-ENOENT
> -w /etc/sudoers -p wa -k sudoers-change
> -w /etc/ -p wa
> -w /var/lib/mysql -p wa



- keepalived is checking every seconds.
  /usr/sbin/keepalived
- misc check program
  /root/mysql_status_check.sh

type=SYSCALL msg=audit(1427989933.878:3632254): arch=c000003e syscall=2
success=yes exit=0 a0=4378a2 a1=2 a2=9 a3=8 items=1 ppid=43118 pid=3379
auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=3 comm="keepalived" exe="/usr/sbin/keepalived" key=(null)

type=SYSCALL msg=audit(1427918414.323:2598129): arch=c000003e syscall=2
success=no exit=-6 a0=4a3155 a1=802 a2=1 a3=7fff4aefd1a0 items=1 ppid=20915
pid=20917 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=3 comm="mysql_status_ch" exe="/bin/bash" key=(null)
type=SYSCALL msg=audit(1427918414.341:2598135): arch=c000003e syscall=2
success=yes exit=3 a0=f14470 a1=241 a2=1b6 a3=76 items=2 ppid=20916
pid=20947 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=3 comm="mysql_status_ch" exe="/bin/bash" key=(null)


=========================
Cloud ASIA Co., Ltd. [ 株式会社クラウドエイジア ]
Founder & CEO Takehara Toshihiro

  〒174-0073
  33-14-101, Higashiyama-cho, Itabashi-ku, Tokyo, Japan
  TEL: +81-3-6869-2994  FAX: +81-3-6869-3974
  Mobile: +81-90-4737-8137
  Mobile in Laos: +856-20-5912-2188
  http://www.cloud-asia.co.jp
  http://www.facebook.com/cloud.asia.japan
  takehara at cloud-asia.co.jp

Lao Systems [ ラオシステムズ ]
  Founder & CEO Takehara Toshihiro
  http://lao-systems.jp/
=========================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20150404/6ea5f61f/attachment.htm>

More information about the Linux-audit mailing list