LOG_WARN or LOG_WARNING?
leam hall
leamhall at gmail.com
Tue Oct 4 15:29:20 UTC 2016
Hey Ryan,
If I put "audit.none" in /etc/rsyslog.conf for the /var/log/messages line,
it prevents audisp from logging there even though audisp to syslog is
turned on.
Our end state is pretty simple, in theory. We want to have 1 copy of audit
events on the system for auditing and send a remote copy elsewhere.
On Tue, Oct 4, 2016 at 11:04 AM, Ryan Sawhill <rsawhill at redhat.com> wrote:
> On Tue, Oct 4, 2016 at 10:58 AM, leam hall <leamhall at gmail.com> wrote:
>
>> Sort of a followup question. I'm surprised adding "audit.none" to the
>> "/var/log/messages" line of rsyslog.conf (RHEL 6) works. I didn't think
>> audit was a full "facility" in whatever rsyslog looks at. Am I more
>> confused than normal?
>>
>
> It's not. If you look at your main log you should see a message from
> rsyslogd saying something like "unknown facility 'audit'".
>
--
Mind on a Mission <http://leamhall.blogspot.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20161004/738a69f1/attachment.htm>
More information about the Linux-audit
mailing list