How to stop audit logs from going to messages logs
Hi,
Audit logs are stored in a separate device and rsyslog.conf
is updated to send logs to remote server like below
#audit log
$ModLoad imfile
$InputFileName /var/log/audit/audit.log
$InputFileTag tag_audit_log:
$InputFileStateFile audit_log
$InputFileSeverity info
$InputFileFacility local6
$InputRunFileMonitor
local6.* @@IP:514
Post this audit logs got updated in /var/log/messages
apart from audit.log
file, to stop this I added the below entry in rsyslog.conf
*.info;mail.none;authpriv.none;cron.none;local6.!info;audispd.!info /var/log/messages
Post restarting rsyslog.conf none of the logs in /var/log
is getting updated.
Which is the correct one to avoid audit logs to be sent to messages logs and allow other logs to get updated.
Thanks
Iyappan V