No USER_LOGIN events in audit.log

Posted on

Hello,

I am setting up a system for a closed room and are testing the system auditing. We use a script which calls ausearch and aureport to display a few different things about the system. When running the script everything expected is returned - except for USER_LOGIN and USER_LOGOUT events.

The command "ausearch -m USER_LOGIN" always produces "no matched events". The same with using USER_LOGOUT as the event. All other audited login events are there, USER_AUTH, USER_ACCT, USER_START. Naturally, "aureport --login -i" produces no results since its keyed off USER_LOGIN events.

Besides the DISA STIG profile I have not configured the system.

Is it possible a rule is excluding these events? Can someone confirm their system is producing these events? What exactly create these events?

I greatly appreciate any support on this issue, thank you.

Responses