audit logs are being written to /var/log/messages, despite configuring them not to do so in /etc/audit/plugins.d/syslog.
Issue
- audit logs are being written to
/var/log/messagesdespite configuringactive=noin/etc/audit/plugins.d/syslog. This is not only causing log saturation in/var/log/messagesbut our 3rd party ELK solution is hitting capacity which impacts our subscription costs. - We also see below logs
Jun 17 13:12:58 host auditd[1470]: Error receiving audit netlink packet (No buffer space available)
Environment
- Red Hat Enterprise Linux 9 [RHEL]
- audit
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
