Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

7.4. Starting the audit Service

Once auditd is configured, start the service to collect Audit information and store it in the log files. Use the following command as the root user to start auditd:
~]# service auditd start

Note

The service command is the only way to correctly interact with the auditd daemon. You need to use the service command so that the auid value is properly recorded. You can use the systemctl command only for two actions: enable and status.
To configure auditd to start at boot time:
~]# systemctl enable auditd
A number of other actions can be performed on auditd using the service auditd action command, where action can be one of the following:
stop
Stops auditd.
restart
Restarts auditd.
reload or force-reload
Reloads the configuration of auditd from the /etc/audit/auditd.conf file.
rotate
Rotates the log files in the /var/log/audit/ directory.
resume
Resumes logging of Audit events after it has been previously suspended, for example, when there is not enough free space on the disk partition that holds the Audit log files.
condrestart or try-restart
Restarts auditd only if it is already running.
status
Displays the running status of auditd.