sending audit logs only to audit.log via rsyslog
kathy lyons
kathy.lyons at zayo.com
Wed May 10 15:51:04 UTC 2023
Great - so I don't need the line below in my rsyslog.conf file?
audit.* ~/var/log/audit/audit.log
On Wed, May 10, 2023 at 9:51 AM Steve Grubb <sgrubb at redhat.com> wrote:
> On Wednesday, May 10, 2023 9:43:04 AM EDT kathy lyons wrote:
> > Good morning. I am trying to get the audit logs to be written only to
> > audit.log. Currently they are written to audit.log as well as syslog.
> > Here is my rsyslog.conf file - what am I doing wrong?
> >
> > module(load="imfile")
> > module(load="imklog")
> > module(load="imjournal")
> >
> > global(net.enableDNS="off" workDirectory=/var/spool/rsyslog"
> > maxMessageSize="128k")
> >
> > $IncludeConfig /etc/rsyslog.d/*.conf
> > $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
> >
> > ##################### rules
> > audit.* ~/var/log/audit/audit.log
> > auth.warning;authpriv.info ~/var/log/auth.log
> > *.*;auth,authpriv.none ~/var/log/syslog
> > cron.info ~/var/log/cron.log
> > daemon.info ~/var/log/daemon.log
> > kern.* ~/var/log/kern.log
> > user.info ~/var/log/user.log
>
> The thing that is writing them to rsyslog is systemd-journald. You can
> stop
> this by running:
>
> systemctl mask systemd-journald-audit.socket
> systemctl stop systemd-journald-audit.socket
>
> Then you will only have logs written to the audit log.
>
> -Steve
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20230510/e4556827/attachment.htm>
More information about the Linux-audit
mailing list