How to stop audit logs from going to messages logs

Latest response

Hi,

Audit logs are stored in a separate device and rsyslog.conf is updated to send logs to remote server like below

#audit log
$ModLoad imfile
$InputFileName /var/log/audit/audit.log
$InputFileTag tag_audit_log:
$InputFileStateFile audit_log
$InputFileSeverity info
$InputFileFacility local6
$InputRunFileMonitor
local6.*                                                @@IP:514

Post this audit logs got updated in /var/log/messages apart from audit.log file, to stop this I added the below entry in rsyslog.conf

*.info;mail.none;authpriv.none;cron.none;local6.!info;audispd.!info       /var/log/messages

Post restarting rsyslog.conf none of the logs in /var/log is getting updated.

Which is the correct one to avoid audit logs to be sent to messages logs and allow other logs to get updated.

Thanks
Iyappan V

Responses

You state you put:

*.info;mail.none;authpriv.none;cron.none;local6.!info;audispd.!info       /var/log/messages

In rsyslog.conf. That's probably not going to work. Syslog only recognizes specific facilities and logging levels. With syslog, the token to the left of the . is the facility; the token to the right is the logging-level. The man page lists the valid facilities as:

The facility is one of the following keywords: auth, authpriv, cron, daemon, kern, lpr, mail, mark, news, security (same as auth), syslog, user, uucp and local0 through local7.

audispd isn't one of them. It's unlikely that what you have in your rsyslog.conf should be valid syntax. It's entirely likely that the reason none of the /var/log/* files are getting updated is because rsyslogd can no longer correctly parse your output directives.

this URL helped to fix the issue https://access.redhat.com/discussions/650853

Jason Greene's method looks good. Thanks for the link.