Unable to audit systemd events

Solution Unverified - Updated -

Issue

An audit rule is in place that should log events generated by systemd however it's noticed that no events with pid 1 are logged.
An example rule which will track all systemd syscalls:

# auditctl -a always,exit -S all -F pid=1 -F key=systemd
# auditctl -l
LIST_RULES: exit,always pid=1 (0x1) key=systemd syscall=all

Watch systemd to confirm syscalls are made which should generate audit events

# strace -c -p 1
Process 1 attached
^CProcess 1 detached
% time     seconds  usecs/call     calls    errors syscall
------ ----------- ----------- --------- --------- ----------------
 31.88    0.000051          13         4           epoll_wait
 26.87    0.000043          22         2           read
 11.25    0.000018           9         2           open
 10.62    0.000017           9         2           munmap
  9.38    0.000015           2         8         2 recvmsg
  6.25    0.000010           5         2           mmap
  1.88    0.000003           2         2           close
  1.88    0.000003           2         2           timerfd_settime
  0.00    0.000000           0         2           fstat
  0.00    0.000000           0         4           clock_gettime
------ ----------- ----------- --------- --------- ----------------
100.00    0.000160                    30         2 total

o But no new audit events with our key are logged since the rule was added:

# ausearch -ts recent -k systemd
<no matches>

Environment

o RHEL 7.X
o audit subsystem
o systemd

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.