Audit subsystem messages are showing in /var/log/messages file
Issue
- Receiving
audit
error messages in the incorrect log file - Is it possible to suppress
audispd
messages from displaying in/var/log/messages
as seen below:
Sep 25 17:37:11 hostname1 audispd: node=hostname1 type=CWD
msg=audit(1380130631.287:93132): cwd="/"
Sep 25 17:37:11 hostname1 audispd: node=hostname1
type=PATH msg=audit(1380130631.287:93132): item=0
name="/var/log/audit/audit.log"
Sep 25 17:37:11 hostname1 audispd: node=hostname1
type=PATH msg=audit(1380130631.287:93132): item=1 name=(null) inode=29633
dev=fd:05 mode=040750 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:auditd_log_t:s0
Sep 25 17:37:11 hostname1 audispd: node=hostname1
type=EOE msg=audit(1380130631.287:93132):
Sep 25 17:37:21 hostname1 audispd: node=hostname1
type=AVC msg=audit(1380130641.297:93133): avc: denied { search } for
pid=2550 comm="rsyslogd" name="audit" dev=dm-5 ino=29633
scontext=unconfined_u:system_r:syslogd_t:s0
tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir
Sep 25 17:37:21 hostname1 audispd: node=hostname1
type=SYSCALL msg=audit(1380130641.297:93133): arch=c000003e syscall=2
success=no exit=-13 a0=7f37f0001b50 a1=80100 a2=180 a3=19 items=2 ppid=1
pid=2550 auid=10279 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=527 comm="rsyslogd" exe="/sbin/rsyslogd"
subj=unconfined_u:system_r:syslogd_t:s0 key="access"
Sep 25 17:37:21 hostname1 audispd: node=hostname1
type=CWD msg=audit(1380130641.297:93133): cwd="/"
Sep 25 17:37:21 hostname1 audispd: node=hostname1
type=PATH msg=audit(1380130641.297:93133): item=0
name="/var/log/audit/audit.log"
Sep 25 17:37:21 hostname1 audispd: node=hostname1
type=PATH msg=audit(1380130641.297:93133): item=1 name=(null) inode=29633
dev=fd:05 mode=040750 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:auditd_log_t:s0
Sep 25 17:37:21 hostname1 audispd: node=hostname1
type=EOE msg=audit(1380130641.297:93133):
Sep 25 17:37:31 hostname1 audispd: node=hostname1
type=AVC msg=audit(1380130651.307:93134): avc: denied { search } for
pid=2550 comm="rsyslogd" name="audit" dev=dm-5 ino=29633
scontext=unconfined_u:system_r:syslogd_t:s0
tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir
Environment
- Red Hat Enterprise Linux 6
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.