How do I stop audit logs from going to /var/log/messages

Latest response

How do I stop audit logs from going to /var/log/messages

Currently we have auditd turned on and events are getting sent to /var/log/messages as well as /var/log/audit/audit.log

All our logs go to a central syslog server also...

Having said that we would like to stop the auditd logs from going to "messages" but continue going to /var/log/audit/audit.log and continue being sent to our remote syslog server..

I tried setting /etc/audisp/plugins.d/syslog.conf to "active = no" but that didn't do it.

Can someone tell me how to accomplish this?

  • Jason

Responses

Do you have the boot parameter 'audit=1' on? That will write auditd to /var/log/messages. IF the daemon does not start up the kernel will write logs to /var/log/messages too.

Also /etc/audisp/plugins/syslog.conf is for relaying audits to a remote machine.

We do in fact have that set

kernel /vmlinuz-2.6.18-308.8.2.el5 ro root=/dev/VolGroup00/LogVol_ROOT rhgb quiet audit=1 fips=1 nousb console=tty1

So, are you saying that I can remove audit=1 from grub.conf and then start auditd with a chkconfig setting and it will stop writing to messages?

I believe so. This is what I believe causes auditd to write to /var/log/messages. So it would seem that that is set to on and your running auditd. Thus you're getting the logs writting to both paths.

I removed audit=1 from my kernel line in grub.conf then rebooted

Still getting audispd entries in messages

Dec 23 16:30:18 XXX400 audispd: node=XXX400 type=USER_LOGIN msg=audit(1387816218.347:236): user pid=1750 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="XXXUSERXXX" exe="/usr/sbin/sshd" hostname=? addr=xxx.xxx.xxx.xxx terminal=ssh res=failed'

https://access.redhat.com/site/solutions/499323

I wish it were that easy. I don't have that section in my rsyslog.conf file.

It is strange. That section doesn't exist, grub has been edited to not have audit=1 and the plugin was edited to be active=no. None of these stopped the logs from being written to messages.

Sorry at this point I am not sure,? Maybe it is time to open a case with RH support..

Jason,
Do you have a working system to compare this to by chance?

Of course remember to restart rsyslogd after any edits...

David's probably right in recommending calling RH Support,

Good luck

Jason, in the article David Mention, what is the output for the following command? Here's mine:

[root@mysystem ~]# cd /etc/audit/
[root@mysystem audit]# grep audit auditd.conf 
# This file controls the configuration of the audit daemon
log_file = /var/log/audit/audit.log
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key

Good luck

Ok, I found the solution. First, you need to be on version 1.8-2.el5 of audit or the config settings won't take effect.

The first conf you need to edit is /etc/audisp/plugins.d/syslog.conf
on the "args" line add "LOG_LOCAL0" and save the file

Then edit /etc/syslog.conf

In this area, add ;local0.none to the /var/log/messages line like below.

*.info;mail.none;authpriv.none;cron.none;local0.none /var/log/messages

Restart syslog and auditd and audit will stop sending logs to the messages log.

Hope this helps.

We wanted to reply to Jason Greene's solution and say that it works great for us and it didn't appear to break anything else. We did this on RHEL 6.6.

This will GREATLY relieve our Splunk Forwarders on our servers.

Hopefully the future RHELs will have more built-in mechanisms to account for crazy auditing requirements and STIG'd systems. I'm sure both DoD and Corporations alike are becp,oming more secure these days.

Thanks!

Thanks.. This led me in the right direction.. Chose local6 instead of local0 as I didn't want the audit messages getting thrown to the kernel level.. Since we already log to /var/log/audit I just wanted the audisp records to go direct to external syslog boxes for aggregation.

so ended up with
/etc/rsyslog.conf
*.info;mail.none;authpriv.none;cron.none;local6.none /var/log/messages

grep local6 /etc/rsyslog.d/custom-syslog.conf
local6,kern,mail,daemon,auth,authpriv,user,syslog.debug @remote host:remote port

grep args /etc/audisp/plugins.d/syslog.conf
args = LOG_LOCAL6

Thanks again!

So I followed this solution and it seems to stop the spam: https://access.redhat.com/solutions/499323.

However, I'm sending all my logs to central log server and I have them aggregated by hostname, and I noticed that it most cases my audit.log and messages are very close to being the same size.

So I guess what I'm unsure of is that if

active = yes in the file /etc/audisp/plugins.d/syslog.conf

does that mean everything that gets sent messages as well audit.log? or is there still some different information that gets sent there?

I just want to make sure this is grabbing the full content of my audit logs if I'm sending them to my syslog server, albeit without the duplicate audisp data in messages.

Hello

If you want to stop audit logs from being written to /var/log/messages, you can achieve it as follows. 1. Edit active option value in config file

# vim /etc/audisp/plugins.d/syslog.conf
active = no
direction = out
path = builtin_syslog
type = builtin
args = LOG_INFO
format = string
  1. Now to reload this configuration
# systemctl reload auditd
--> Now audit logs will not be written to /var/log/messages To start writing audit logs to /var/log/messages just set active = yes and reload auditd service and all audit logs would be recorded in messages as well.

To write audit logs to remote server, set active = yes and add LOG_LOCAL6 in args

# vim /etc/audisp/plugins.d/syslog.conf
active = no
direction = out
path = builtin_syslog
type = builtin
args = LOG_INFO LOG_LOCAL6
format = string
# systemctl reload auditd

Need to set rule in /etc/rsyslog.conf to route these logs to remote server, this can be achieved as follows

# vim /etc/rsyslog.conf
#audit log
$ModLoad imfile
$InputFileName /var/log/audit/audit.log
$InputFileTag tag_audit_log:
$InputFileStateFile audit_log
$InputFileSeverity info
$InputFileFacility local6
$InputRunFileMonitor
local6.*                                                @@IP:514

I would not recommend this moethod, you may have issues this way with selinux reading the audit log. Rather use the syslog plugin for auditd and exclude from local syslog config used for /var/log/messages

Have similar issue, but with syslog.

Right now I am sending VM logs to remote log server. I have this line at the end of /etc/rsyslog.conf

##forwarding rule to remote log##
*.* @10.4.10.41:514
##end of rule#

And at the remote logging server I have this conf file to capture the syslog.

cat /etc/rsyslog.d/logserver.conf

$template FILENAME,"/srv/logs/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog.log"
*.* ?FILENAME

if ($fromhost-ip != "127.0.0.1" ) then ?FILENAME
& ~

Result of current setup is that I get the syslog file from that remote VM to log server like this:

[root@logserver]# pwd
/srv/logs/remote-vm/2021/04/14

[root@logserver]# ls -lrta
total 14208
drwx------ 5 root root      36 Apr 14 00:00 ..
drwx------ 2 root root      24 Apr 14 00:00 .
-rw------- 1 root root 6344364 Apr 14 09:15 syslog.log

How can I get "audit.log" as separate file in into that same folder?

If I use the examples in this guide I always get those audit entries in that same "syslog.log" file in logserver.

And second issue is that on some VM's I have to send syslogs to 2 remote log servers. One of the servers needs that separate audit.log file and other does not.

In those VM's I have those lines at the end of /etc/rsyslog.conf

##forwarding rule to remote log 1##
*.* @10.4.10.11:514
##end of rule 1#

##forwarding rule to remote log 2##
*.* @10.4.7.11:514
##end of rule 2#