How do I stop audit logs from going to /var/log/messages

Latest response

How do I stop audit logs from going to /var/log/messages

Currently we have auditd turned on and events are getting sent to /var/log/messages as well as /var/log/audit/audit.log

All our logs go to a central syslog server also...

Having said that we would like to stop the auditd logs from going to "messages" but continue going to /var/log/audit/audit.log and continue being sent to our remote syslog server..

I tried setting /etc/audisp/plugins.d/syslog.conf to "active = no" but that didn't do it.

Can someone tell me how to accomplish this?

  • Jason
JG
Log in to join the conversation

Responses

dmfaverma's picture Pro 494 points
23 December 2013 2:41 PM

Do you have the boot parameter 'audit=1' on? That will write auditd to /var/log/messages. IF the daemon does not start up the kernel will write logs to /var/log/messages too.

Also /etc/audisp/plugins/syslog.conf is for relaying audits to a remote machine.

JG Community Member 75 points
23 December 2013 3:45 PM

We do in fact have that set

kernel /vmlinuz-2.6.18-308.8.2.el5 ro root=/dev/VolGroup00/LogVol_ROOT rhgb quiet audit=1 fips=1 nousb console=tty1

So, are you saying that I can remove audit=1 from grub.conf and then start auditd with a chkconfig setting and it will stop writing to messages?

dmfaverma's picture Pro 494 points
23 December 2013 4:13 PM

I believe so. This is what I believe causes auditd to write to /var/log/messages. So it would seem that that is set to on and your running auditd. Thus you're getting the logs writting to both paths.

JG Community Member 75 points
23 December 2013 4:41 PM

I removed audit=1 from my kernel line in grub.conf then rebooted

Still getting audispd entries in messages

Dec 23 16:30:18 XXX400 audispd: node=XXX400 type=USER_LOGIN msg=audit(1387816218.347:236): user pid=1750 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="XXXUSERXXX" exe="/usr/sbin/sshd" hostname=? addr=xxx.xxx.xxx.xxx terminal=ssh res=failed'

dmfaverma's picture Pro 494 points
23 December 2013 6:12 PM

https://access.redhat.com/site/solutions/499323

JG Community Member 75 points
23 December 2013 7:18 PM

I wish it were that easy. I don't have that section in my rsyslog.conf file.

It is strange. That section doesn't exist, grub has been edited to not have audit=1 and the plugin was edited to be active=no. None of these stopped the logs from being written to messages.

dmfaverma's picture Pro 494 points
26 December 2013 3:43 PM

Sorry at this point I am not sure,? Maybe it is time to open a case with RH support..

R. Hinton's picture Guru 6827 points
4 March 2014 5:08 AM

Jason,
Do you have a working system to compare this to by chance?

Of course remember to restart rsyslogd after any edits...

David's probably right in recommending calling RH Support,

Good luck

R. Hinton's picture Guru 6827 points
4 March 2014 5:16 AM

Jason, in the article David Mention, what is the output for the following command? Here's mine:

[root@mysystem ~]# cd /etc/audit/
[root@mysystem audit]# grep audit auditd.conf 
# This file controls the configuration of the audit daemon
log_file = /var/log/audit/audit.log
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key

Good luck

JG Community Member 75 points
4 March 2014 2:41 PM

Ok, I found the solution. First, you need to be on version 1.8-2.el5 of audit or the config settings won't take effect.

The first conf you need to edit is /etc/audisp/plugins.d/syslog.conf
on the "args" line add "LOG_LOCAL0" and save the file

Then edit /etc/syslog.conf

In this area, add ;local0.none to the /var/log/messages line like below.

*.info;mail.none;authpriv.none;cron.none;local0.none /var/log/messages

Restart syslog and auditd and audit will stop sending logs to the messages log.

Hope this helps.

CS Active Contributor 167 points
27 August 2015 1:31 PM

We wanted to reply to Jason Greene's solution and say that it works great for us and it didn't appear to break anything else. We did this on RHEL 6.6.

This will GREATLY relieve our Splunk Forwarders on our servers.

Hopefully the future RHELs will have more built-in mechanisms to account for crazy auditing requirements and STIG'd systems. I'm sure both DoD and Corporations alike are becp,oming more secure these days.

Thanks!

William Darton's picture Expert 929 points
15 September 2015 1:21 PM

Thanks.. This led me in the right direction.. Chose local6 instead of local0 as I didn't want the audit messages getting thrown to the kernel level.. Since we already log to /var/log/audit I just wanted the audisp records to go direct to external syslog boxes for aggregation.

so ended up with
/etc/rsyslog.conf
*.info;mail.none;authpriv.none;cron.none;local6.none /var/log/messages

grep local6 /etc/rsyslog.d/custom-syslog.conf
local6,kern,mail,daemon,auth,authpriv,user,syslog.debug @remote host:remote port

grep args /etc/audisp/plugins.d/syslog.conf
args = LOG_LOCAL6

Thanks again!

CT Newbie 5 points
8 December 2016 6:33 PM

So I followed this solution and it seems to stop the spam: https://access.redhat.com/solutions/499323.

However, I'm sending all my logs to central log server and I have them aggregated by hostname, and I noticed that it most cases my audit.log and messages are very close to being the same size.

So I guess what I'm unsure of is that if

active = yes in the file /etc/audisp/plugins.d/syslog.conf

does that mean everything that gets sent messages as well audit.log? or is there still some different information that gets sent there?

I just want to make sure this is grabbing the full content of my audit logs if I'm sending them to my syslog server, albeit without the duplicate audisp data in messages.

RP Red Hat Community Member 29 points
14 September 2017 3:07 PM

Hello

If you want to stop audit logs from being written to /var/log/messages, you can achieve it as follows. 1. Edit active option value in config file

# vim /etc/audisp/plugins.d/syslog.conf
active = no
direction = out
path = builtin_syslog
type = builtin
args = LOG_INFO
format = string
  1. Now to reload this configuration 
# systemctl reload auditd
--> Now audit logs will not be written to /var/log/messages To start writing audit logs to /var/log/messages just set active = yes and reload auditd service and all audit logs would be recorded in messages as well.

To write audit logs to remote server, set active = yes and add LOG_LOCAL6 in args

# vim /etc/audisp/plugins.d/syslog.conf
active = no
direction = out
path = builtin_syslog
type = builtin
args = LOG_INFO LOG_LOCAL6
format = string
# systemctl reload auditd

Need to set rule in /etc/rsyslog.conf to route these logs to remote server, this can be achieved as follows

# vim /etc/rsyslog.conf
#audit log
$ModLoad imfile
$InputFileName /var/log/audit/audit.log
$InputFileTag tag_audit_log:
$InputFileStateFile audit_log
$InputFileSeverity info
$InputFileFacility local6
$InputRunFileMonitor
local6.*                                                @@IP:514
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.