How to stop audit logs from going to messages logs

Latest response

Hi,

Audit logs are stored in a separate device and rsyslog.conf is updated to send logs to remote server like below

#audit log
$ModLoad imfile
$InputFileName /var/log/audit/audit.log
$InputFileTag tag_audit_log:
$InputFileStateFile audit_log
$InputFileSeverity info
$InputFileFacility local6
$InputRunFileMonitor
local6.*                                                @@IP:514

Post this audit logs got updated in /var/log/messages apart from audit.log file, to stop this I added the below entry in rsyslog.conf

*.info;mail.none;authpriv.none;cron.none;local6.!info;audispd.!info       /var/log/messages

Post restarting rsyslog.conf none of the logs in /var/log is getting updated.

Which is the correct one to avoid audit logs to be sent to messages logs and allow other logs to get updated.

Thanks
Iyappan V

Responses