6.4. Starting the audit Service
auditdis configured, start the service to collect Audit information and store it in the log files. Use the following command as the root user to start
service auditd start
servicecommand is the only way to correctly interact with the
auditddaemon. You need to use the
servicecommand so that the
auidvalue is properly recorded. You can use the
systemctlcommand only for two actions:
auditdto start at boot time:
systemctl enable auditd
service auditd actioncommand, where action can be one of the following:
- Reloads the configuration of auditd from the
- Rotates the log files in the
- Resumes logging of Audit events after it has been previously suspended, for example, when there is not enough free space on the disk partition that holds the Audit log files.
- Restarts auditd only if it is already running.
- Displays the running status of auditd.