sending audit logs only to audit.log via rsyslog

Steve Grubb sgrubb at redhat.com
Wed May 10 16:11:40 UTC 2023 

On Wednesday, May 10, 2023 11:51:04 AM EDT kathy lyons wrote:
> Great - so I don't need the line below in my rsyslog.conf file?
> 
>                  audit.*               ~/var/log/audit/audit.log

No that's not needed. The whole problem is caused by journald. It connects to 
a best effort multicast socket to get audit events. It then writes them to 
rsyslog in addition to the journal. Meanwhile, auditd connects to the real 
netlink interface and grabs events from the kernel and writes them to disk 
itself. No one needs 3 separate audit logs.

After masking journald's audit socket, all need to do is have the audit 
daemon enabled. Then everything should work out. And you should find that 
audit events written by auditd have slightly better information.

-Steve

> On Wed, May 10, 2023 at 9:51 AM Steve Grubb <sgrubb at redhat.com> wrote:
> > On Wednesday, May 10, 2023 9:43:04 AM EDT kathy lyons wrote:
> > >  Good morning.  I am trying to get the audit logs to be written only to
> > > 
> > > audit.log.  Currently they are written to audit.log as well as syslog.
> > > Here is my rsyslog.conf file - what am I doing wrong?
> > > 
> > >     module(load="imfile")
> > >     module(load="imklog")
> > >     module(load="imjournal")
> > >     
> > >     global(net.enableDNS="off" workDirectory=/var/spool/rsyslog"
> > > 
> > > maxMessageSize="128k")
> > > 
> > >    $IncludeConfig /etc/rsyslog.d/*.conf
> > >    $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
> > >   
> > >   ##################### rules
> > >   
> > >     audit.*                                 ~/var/log/audit/audit.log
> > >     auth.warning;authpriv.info   ~/var/log/auth.log
> > >     *.*;auth,authpriv.none           ~/var/log/syslog
> > >     cron.info                               ~/var/log/cron.log
> > >     daemon.info                        ~/var/log/daemon.log
> > >     kern.*                                  ~/var/log/kern.log
> > >     user.info                             ~/var/log/user.log
> > 
> > The thing that is writing them to rsyslog is systemd-journald. You can
> > stop
> > this by running:
> > 
> > systemctl mask systemd-journald-audit.socket
> > systemctl stop systemd-journald-audit.socket
> > 
> > Then you will only have logs written to the audit log.
> > 
> > -Steve

More information about the Linux-audit mailing list