auditd start failure

auditd start failure

[zhu xiuming]

[-- Attachment #1.1: Type: text/plain, Size: 428 bytes --]

HI
Suddently, my auditd can't start. I do not know why.
I remember I changed some permission settings on /var/log/audit. However,
even I change it back, the auditd cann't be started.

I looked at the audit.log. It only shows the daemon is closed successfully

I wonder whether there is other log file I should look.
Normally, it will print out the failure reason : wrong audit rules but this
time, only
"Failed".


thanks a lot

[-- Attachment #1.2: Type: text/html, Size: 601 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: auditd start failure

[Steve Grubb]

On Friday, August 16, 2013 11:38:32 AM zhu xiuming wrote:
> HI
> Suddently, my auditd can't start. I do not know why.
> I remember I changed some permission settings on /var/log/audit. However,
> even I change it back, the auditd cann't be started.
> 
> I looked at the audit.log. It only shows the daemon is closed successfully
> 
> I wonder whether there is other log file I should look.

Its writes failure messages to /var/log/messages.  I sometimes troubleshoot 
issues by starting the daemon by hand in the foreground mode so that 
everything is written to the screen. /sbin/auditd  -f 

-Steve

Re: auditd start failure

[zhu xiuming]

[-- Attachment #1.1: Type: text/plain, Size: 1058 bytes --]

Thanks you so much for the quick response. I just want to send out this
email. Because I use auditd -f to find out it was still the permission
issue of audit.log.

What I wanted to do is let someone else able to read the audit.log other
than root. Should I change the log_group setting ? It seems audit.log
permission is 0600. Only root can read it.




On Fri, Aug 16, 2013 at 11:43 AM, Steve Grubb <sgrubb@redhat.com> wrote:

> On Friday, August 16, 2013 11:38:32 AM zhu xiuming wrote:
> > HI
> > Suddently, my auditd can't start. I do not know why.
> > I remember I changed some permission settings on /var/log/audit. However,
> > even I change it back, the auditd cann't be started.
> >
> > I looked at the audit.log. It only shows the daemon is closed
> successfully
> >
> > I wonder whether there is other log file I should look.
>
> Its writes failure messages to /var/log/messages.  I sometimes troubleshoot
> issues by starting the daemon by hand in the foreground mode so that
> everything is written to the screen. /sbin/auditd  -f
>
> -Steve
>
>

[-- Attachment #1.2: Type: text/html, Size: 1565 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: auditd start failure

[Steve Grubb]

On Friday, August 16, 2013 11:48:37 AM zhu xiuming wrote:
> Thanks you so much for the quick response. I just want to send out this
> email. Because I use auditd -f to find out it was still the permission
> issue of audit.log.
> 
> What I wanted to do is let someone else able to read the audit.log other
> than root. Should I change the log_group setting ?

Yes.

> It seems audit.log permission is 0600. Only root can read it.

You should create a group for reading audit logs and add the user to it. You 
may need to change the group on the log files initially and chmod them to 0640. 
But auditd will correctly set the permission and group on all future files.

-Steve

> On Fri, Aug 16, 2013 at 11:43 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Friday, August 16, 2013 11:38:32 AM zhu xiuming wrote:
> > > HI
> > > Suddently, my auditd can't start. I do not know why.
> > > I remember I changed some permission settings on /var/log/audit.
> > > However,
> > > even I change it back, the auditd cann't be started.
> > > 
> > > I looked at the audit.log. It only shows the daemon is closed
> > 
> > successfully
> > 
> > > I wonder whether there is other log file I should look.
> > 
> > Its writes failure messages to /var/log/messages.  I sometimes
> > troubleshoot
> > issues by starting the daemon by hand in the foreground mode so that
> > everything is written to the screen. /sbin/auditd  -f
> > 
> > -Steve