Help on audit.log
Dear Team,
I need a help on understanding the audit.log file on Linux servers.
I can see the audit logs under /var/log/audit/ folder and a configuration file for that in /etc/audit/auditd.conf
What actually getting recorded in audit.old file, Is the same information in /var/log/secure and other log files.
What is the distinct feature of this log file.
The reason for bringing up this question is we have a concern audit log message getting filled up and hungs the servers with the below message.
kernel: audit: audit_backlog=65537 > audit_backlog_limit=65536
kernel: audit: audit_lost=126533574 audit_rate_limit=0 audit_backlog_limit=65536
So is that really audit.log is nescessary or Can I stop the auditd process and get the details from other logs like messages/secure.
Please help, Thanks.
Responses
Red Hat
Guru
1638 points
Hi Manikandan,
Please take a read through Chapter 5. System Auditing of the Security Guide.
You can disable the rules you do not need as well, see The audit.log file still contains messages even though no audit rules have been added. for more information.
The audit subsystem is not essential to operation, however, I would strongly recommend that you review any regulatory requirements for your industry before blanket disabling the service.
A better approach would be to clear down the rules you do not need (noting the PAM hardcoding information in solutions/35978) and monitor only that which does need to be recorded.
Best regards,
Mark
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.