auditd not logging proper log.

[Rakesh Kumar]

Or do i need any specific rules in the /etc/auditd/rules.d/audit.rules for this login/logout info to be logged ,? 
if yes then please suggest on this.


Rakesh    On Sunday, August 8, 2021, 11:18:00 PM GMT+5:30, Rakesh Kumar <rakesh_kumar2554 at yahoo.com> wrote:  
 
  
Hi Team,
The user login/logout information is being logged into auth.log file but not being logged into audit.log .it means that sshd, pam configuration is working for auth.log file then why its not working for audit.log, so where could be the problem, for this not being logged into audit.log file .
Where should i investigate.? 


Regards,Rakesh    On Sunday, August 8, 2021, 07:12:17 PM GMT+5:30, Steve Grubb <sgrubb at redhat.com> wrote:  
 
 On Saturday, August 7, 2021 12:47:56 AM EDT Rakesh Kumar wrote:
> 1)I am using this version of auditctl version 2.4.4 . So does this version
> has the user login/logout info to log into audit.log ?

This is not the responsibility of auditd. Auditd provides libaudit. 
Applications use that to create log events. It is the reposibility of system 
entry point daemons to log the event. User login events have been supported 
as long as I can remember.

> 2) If u  to want to see the pam.d/login file configuration to check why its
> not logging the login/logout info then please let me know about this,

It's not configurable by an end user. Its configured at compile time. You would 
want to look at the build logs for pam and entrypoint daemons such as sshd, 
gdm, kdm, etc.

-Steve


    
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20210808/742cdd66/attachment.htm>