Auditd is not creating /var/run/audispd_events

Solution Unverified - Updated -

Issue

  • We have auditd running on a number of hosts, and audispd is installed. We can see audit rules with auditctl -l but no /var/run/audispd_events file is created.
  • The following messages can be seen when restarting auditd:

    Apr 11 09:02:32 hostname auditd[848]: Wrong number of arguments for line 6 in /etc/audit/plugins.d//af_unix.conf
    Apr 11 09:02:32 hostname auditd[848]: Skipping af_unix.conf plugin due to errors
    Apr 11 09:02:32 hostname auditd[848]: No plugins found, not dispatching events
    Apr 11 09:02:32 hostname auditd[848]: Init complete, auditd 3.1.5 listening for events (startup state enable)
    

Environment

  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 9

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content