How to stop audit logs from going to messages logs
Hi,
Audit logs are stored in a separate device and rsyslog.conf is updated to send logs to remote server like below
#audit log
$ModLoad imfile
$InputFileName /var/log/audit/audit.log
$InputFileTag tag_audit_log:
$InputFileStateFile audit_log
$InputFileSeverity info
$InputFileFacility local6
$InputRunFileMonitor
local6.* @@IP:514
Post this audit logs got updated in /var/log/messages apart from audit.log file, to stop this I added the below entry in rsyslog.conf
*.info;mail.none;authpriv.none;cron.none;local6.!info;audispd.!info /var/log/messages
Post restarting rsyslog.conf none of the logs in /var/log is getting updated.
Which is the correct one to avoid audit logs to be sent to messages logs and allow other logs to get updated.
Thanks
Iyappan V
Responses
Guru
6435 points
You state you put:
*.info;mail.none;authpriv.none;cron.none;local6.!info;audispd.!info /var/log/messages
In rsyslog.conf. That's probably not going to work. Syslog only recognizes specific facilities and logging levels. With syslog, the token to the left of the . is the facility; the token to the right is the logging-level. The man page lists the valid facilities as:
The facility is one of the following keywords: auth, authpriv, cron, daemon, kern, lpr, mail, mark, news, security (same as auth), syslog, user, uucp and local0 through local7.
audispd isn't one of them. It's unlikely that what you have in your rsyslog.conf should be valid syntax. It's entirely likely that the reason none of the /var/log/* files are getting updated is because rsyslogd can no longer correctly parse your output directives.
