Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

7.4. Starting the audit Service

Once auditd is configured, start the service to collect Audit information and store it in the log files. Use the following command as the root user to start auditd:
~]# service auditd start


The service command is the only way to correctly interact with the auditd daemon. You need to use the service command so that the auid value is properly recorded. You can use the systemctl command only for two actions: enable and status.
To configure auditd to start at boot time:
~]# systemctl enable auditd
A number of other actions can be performed on auditd using the service auditd action command, where action can be one of the following:
Stops auditd.
Restarts auditd.
reload or force-reload
Reloads the configuration of auditd from the /etc/audit/auditd.conf file.
Rotates the log files in the /var/log/audit/ directory.
Resumes logging of Audit events after it has been previously suspended, for example, when there is not enough free space on the disk partition that holds the Audit log files.
condrestart or try-restart
Restarts auditd only if it is already running.
Displays the running status of auditd.