- Red Hat Enterprise Linux (RHEL) 8
- RHEL 8 client is configured to send logs to a central syslog server.
- All logs are successfully being received by the central syslog server except audit logs.
- Why are the audit logs not being forwarded?
- Install the
- Edit the
/etc/audit/plugins.d/syslog.conffile so that
- Restart the
auditdservice using the
service auditd restartcommand (not the
Previous to RHEL 8, the
audispd configuration was in the
/etc/audisp directory. With RHEL 8, Audit 3.0 replaces audispd with auditd in RHEL 8. This results in all configuration files now being in the
/etc/audit directory and its sub-directories.
- Ensure that the
audispd-pluginspackage is installed and the
/etc/audit/plugins.d/syslog.conffile contains the correct parameter.
auditdservice is restarted, generate a test audit message using the
auditctl -m "Test message"command and verify that it has reached the central syslog server.
- Red Hat Enterprise Linux
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.