[Spacewalk-list] Audit logs in GUI

Jan Dobes jdobes at redhat.com
Thu Jun 25 14:10:43 UTC 2015 

----- Original Message -----
> From: "Sam Caise" <sam.caise at invade.net>
> To: spacewalk-list at redhat.com
> Sent: Thursday, June 25, 2015 1:43:20 PM
> Subject: [Spacewalk-list] Audit logs in GUI
> 
> Hi All,
> 
> I appear to be having a problem exporting auditd logs into the Spacewalk
> front end.
> 
> I have followed the necessary steps as listed on the wiki:
> 
> https://fedorahosted.org/spacewalk/wiki/AuditReviewing
> 
> But the page still appears to be blank after configuration. Below I have
> listed the current setup:
> 
> 1. /etc/rhn/rhn.conf has been configured to point to the audit logdir:
> 
> [root at spacewalk audit]# tail -n2 /etc/rhn/rhn.conf
> # enable audit logging
> web.audit.logdir = /var/satellite/systemlogs
> 
> 2. Directories created for the test host (in this case the spacewalk host
> itself):
> 
> [root at spacewalk audit]# ls -la /var/satellite/systemlogs/
> total 0
> drwxr-xr-x 4 tomcat tomcat 38 Jun 25 10:17 .
> drwxr-xr-x 6 apache root 60 Jun 25 12:27 ..
> drwxr-xr-x 3 tomcat tomcat 18 Jun 25 10:17 localhost
> 
> Audit directory is present:
> 
> [root at spacewalk audit]# ls -la /var/satellite/systemlogs/localhost/
> total 0
> drwxr-xr-x 3 tomcat tomcat 18 Jun 25 10:17 .
> drwxr-xr-x 4 tomcat tomcat 38 Jun 25 10:17 ..
> drwxr-xr-x 2 tomcat tomcat 42 Jun 25 12:17 audit
> 
> And the audit log (parsed with aup.c) is present also:
> 
> [root at spacewalk audit]# ls -la /var/satellite/systemlogs/localhost/audit/
> total 3692
> drwxr-xr-x 2 tomcat tomcat 42 Jun 25 12:17 .
> drwxr-xr-x 3 tomcat tomcat 18 Jun 25 10:17 ..
> -rw-r--r-- 1 tomcat tomcat 348542 Jun 25 12:16 audit1.parsed

Hello,

The audit files are expected to have a name in format:

"audit-(\d+)-(\d+).parsed" - numbers are unix timestamps describing start and end of searching interval.

> 
> 
> I have tried setting the ownership/group to both "apache" and "tomcat" but
> this does not appear to help.
> 
> 3. Finally, the following command was run previously (before changing
> ownership to tomcat) as listed by the wiki:
> 
> [root at spacewalk audit]# namei -m /var/satellite/systemlogs/localhost/audit/
> f: /var/satellite/systemlogs/localhost/audit/
> dr-xr-xr-x /
> drwxr-xr-x var
> drwxr-xr-x satellite
> drwxr-xr-x systemlogs
> drwxr-xr-x localhost
> drwxr-xr-x audit
> 
> The logs for tomcat,httpd and auditd show no related errors.
> 
> Despite the above no audit logs are displayed on the front end. Does anyone
> have any ideas as to why this could be?
> 
> Kind Regards,
> Sam Caise
> 

Regards,
-- 
Jan Dobes
Satellite Engineering, Red Hat

More information about the Spacewalk-list mailing list