How do I stop audit logs from going to /var/log/messages
How do I stop audit logs from going to /var/log/messages
Currently we have auditd turned on and events are getting sent to /var/log/messages as well as /var/log/audit/audit.log
All our logs go to a central syslog server also...
Having said that we would like to stop the auditd logs from going to "messages" but continue going to /var/log/audit/audit.log and continue being sent to our remote syslog server..
I tried setting /etc/audisp/plugins.d/syslog.conf to "active = no" but that didn't do it.
Can someone tell me how to accomplish this?
- Jason
Responses
Pro
494 points
Do you have the boot parameter 'audit=1' on? That will write auditd to /var/log/messages. IF the daemon does not start up the kernel will write logs to /var/log/messages too.
Also /etc/audisp/plugins/syslog.conf is for relaying audits to a remote machine.
Pro
494 points
I believe so. This is what I believe causes auditd to write to /var/log/messages. So it would seem that that is set to on and your running auditd. Thus you're getting the logs writting to both paths.
Pro
494 points
Sorry at this point I am not sure,? Maybe it is time to open a case with RH support..
Guru
6827 points
Jason,
Do you have a working system to compare this to by chance?
Of course remember to restart rsyslogd after any edits...
David's probably right in recommending calling RH Support,
Good luck
Guru
6827 points
Jason, in the article David Mention, what is the output for the following command? Here's mine:
[root@mysystem ~]# cd /etc/audit/
[root@mysystem audit]# grep audit auditd.conf
# This file controls the configuration of the audit daemon
log_file = /var/log/audit/audit.log
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
Good luck
We wanted to reply to Jason Greene's solution and say that it works great for us and it didn't appear to break anything else. We did this on RHEL 6.6.
This will GREATLY relieve our Splunk Forwarders on our servers.
Hopefully the future RHELs will have more built-in mechanisms to account for crazy auditing requirements and STIG'd systems. I'm sure both DoD and Corporations alike are becp,oming more secure these days.
Thanks!
Expert
991 points
Thanks.. This led me in the right direction.. Chose local6 instead of local0 as I didn't want the audit messages getting thrown to the kernel level.. Since we already log to /var/log/audit I just wanted the audisp records to go direct to external syslog boxes for aggregation.
so ended up with
/etc/rsyslog.conf
*.info;mail.none;authpriv.none;cron.none;local6.none /var/log/messages
grep local6 /etc/rsyslog.d/custom-syslog.conf
local6,kern,mail,daemon,auth,authpriv,user,syslog.debug @remote host:remote port
grep args /etc/audisp/plugins.d/syslog.conf
args = LOG_LOCAL6
Thanks again!
So I followed this solution and it seems to stop the spam: https://access.redhat.com/solutions/499323.
However, I'm sending all my logs to central log server and I have them aggregated by hostname, and I noticed that it most cases my audit.log and messages are very close to being the same size.
So I guess what I'm unsure of is that if
active = yes in the file /etc/audisp/plugins.d/syslog.conf
does that mean everything that gets sent messages as well audit.log? or is there still some different information that gets sent there?
I just want to make sure this is grabbing the full content of my audit logs if I'm sending them to my syslog server, albeit without the duplicate audisp data in messages.
Red Hat
Community Member
84 points
Hello
If you want to stop audit logs from being written to /var/log/messages, you can achieve it as follows. 1. Edit active option value in config file
# vim /etc/audisp/plugins.d/syslog.conf
active = no
direction = out
path = builtin_syslog
type = builtin
args = LOG_INFO
format = string
- Now to reload this configuration
# systemctl reload auditd
To write audit logs to remote server, set active = yes and add LOG_LOCAL6 in args
# vim /etc/audisp/plugins.d/syslog.conf
active = no
direction = out
path = builtin_syslog
type = builtin
args = LOG_INFO LOG_LOCAL6
format = string
# systemctl reload auditd
Need to set rule in /etc/rsyslog.conf to route these logs to remote server, this can be achieved as follows
# vim /etc/rsyslog.conf
#audit log
$ModLoad imfile
$InputFileName /var/log/audit/audit.log
$InputFileTag tag_audit_log:
$InputFileStateFile audit_log
$InputFileSeverity info
$InputFileFacility local6
$InputRunFileMonitor
local6.* @@IP:514
Have similar issue, but with syslog.
Right now I am sending VM logs to remote log server. I have this line at the end of /etc/rsyslog.conf
##forwarding rule to remote log##
*.* @10.4.10.41:514
##end of rule#
And at the remote logging server I have this conf file to capture the syslog.
cat /etc/rsyslog.d/logserver.conf
$template FILENAME,"/srv/logs/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog.log"
*.* ?FILENAME
if ($fromhost-ip != "127.0.0.1" ) then ?FILENAME
& ~
Result of current setup is that I get the syslog file from that remote VM to log server like this:
[root@logserver]# pwd
/srv/logs/remote-vm/2021/04/14
[root@logserver]# ls -lrta
total 14208
drwx------ 5 root root 36 Apr 14 00:00 ..
drwx------ 2 root root 24 Apr 14 00:00 .
-rw------- 1 root root 6344364 Apr 14 09:15 syslog.log
How can I get "audit.log" as separate file in into that same folder?
If I use the examples in this guide I always get those audit entries in that same "syslog.log" file in logserver.
And second issue is that on some VM's I have to send syslogs to 2 remote log servers. One of the servers needs that separate audit.log file and other does not.
In those VM's I have those lines at the end of /etc/rsyslog.conf
##forwarding rule to remote log 1##
*.* @10.4.10.11:514
##end of rule 1#
##forwarding rule to remote log 2##
*.* @10.4.7.11:514
##end of rule 2#