* Audit messages on console
@ 2007-08-03 18:26 Ameel Kamboh
2007-08-03 18:54 ` Timothy R. Chavez
2007-08-03 19:10 ` Stephen John Smoogen
0 siblings, 2 replies; 4+ messages in thread
From: Ameel Kamboh @ 2007-08-03 18:26 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 799 bytes --]
I notice that if the auditd service is not running,
I see all my audit logs go out on the console,
When I start auditd service they go to the appropriate log file.
Is there a way to turn this off in the kernel?
Below is my auditd.conf file:
log_file = /var/log/audit/audit.log
log_format = RAW
priority_boost = 3
flush = INCREMENTAL
freq = 20
num_logs = 10
max_log_file = 50
max_log_file_action = ROTATE
space_left = 750
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 250
admin_space_left_action = SYSLOG
disk_full_action = SYSLOG
dispatcher = /usr/sbin/SnareDispatcher /sbin/auditspd
Ameel Kamboh
SIP Core Network and Security
Phone: 972.685.4922 (esn 445-4922)
Mobile: 978-590-2280
SIP: akamboh@techtrial.com
email: akamboh@nortel.com
[-- Attachment #1.2: Type: text/html, Size: 2791 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Audit messages on console
2007-08-03 18:26 Audit messages on console Ameel Kamboh
@ 2007-08-03 18:54 ` Timothy R. Chavez
2007-08-03 19:08 ` Timothy R. Chavez
2007-08-03 19:10 ` Stephen John Smoogen
1 sibling, 1 reply; 4+ messages in thread
From: Timothy R. Chavez @ 2007-08-03 18:54 UTC (permalink / raw)
To: Ameel Kamboh; +Cc: linux-audit
On Fri, 2007-08-03 at 13:26 -0500, Ameel Kamboh wrote:
> I notice that if the auditd service is not running,
> I see all my audit logs go out on the console,
> When I start auditd service they go to the appropriate log file.
> Is there a way to turn this off in the kernel?
>
Hi Ameel,
If audit is enabled, but auditd isn't running, the audit records will be
delivered to userspace via printk (KERN_NOTICE <5>). So perhaps you'll
just need to edit /etc/sysconfig and route kern.5 accordingly? If you
do not wish to generate (nor receive) audit records while auditd is
stopped, disable audit like so,
auditctl -e 0
-tim
> Below is my auditd.conf file:
>
> log_file = /var/log/audit/audit.log
> log_format = RAW
> priority_boost = 3
> flush = INCREMENTAL
> freq = 20
> num_logs = 10
> max_log_file = 50
> max_log_file_action = ROTATE
> space_left = 750
> space_left_action = SYSLOG
> action_mail_acct = root
> admin_space_left = 250
> admin_space_left_action = SYSLOG
> disk_full_action = SYSLOG
> dispatcher = /usr/sbin/SnareDispatcher /sbin/auditspd
>
> Ameel Kamboh
> SIP Core Network and Security
> Phone: 972.685.4922 (esn 445-4922)
> Mobile: 978-590-2280
> SIP: akamboh@techtrial.com
> email: akamboh@nortel.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Audit messages on console
2007-08-03 18:54 ` Timothy R. Chavez
@ 2007-08-03 19:08 ` Timothy R. Chavez
0 siblings, 0 replies; 4+ messages in thread
From: Timothy R. Chavez @ 2007-08-03 19:08 UTC (permalink / raw)
To: Ameel Kamboh; +Cc: linux-audit
On Fri, 2007-08-03 at 13:54 -0500, Timothy R. Chavez wrote:
> On Fri, 2007-08-03 at 13:26 -0500, Ameel Kamboh wrote:
> > I notice that if the auditd service is not running,
> > I see all my audit logs go out on the console,
> > When I start auditd service they go to the appropriate log file.
> > Is there a way to turn this off in the kernel?
> >
>
> Hi Ameel,
>
> If audit is enabled, but auditd isn't running, the audit records will be
> delivered to userspace via printk (KERN_NOTICE <5>). So perhaps you'll
> just need to edit /etc/sysconfig and route kern.5 accordingly? If you
Erm, /etc/syslog.conf
-tim
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Audit messages on console
2007-08-03 18:26 Audit messages on console Ameel Kamboh
2007-08-03 18:54 ` Timothy R. Chavez
@ 2007-08-03 19:10 ` Stephen John Smoogen
1 sibling, 0 replies; 4+ messages in thread
From: Stephen John Smoogen @ 2007-08-03 19:10 UTC (permalink / raw)
To: Ameel Kamboh; +Cc: linux-audit
On 8/3/07, Ameel Kamboh <akamboh@nortel.com> wrote:
>
>
>
> I notice that if the auditd service is not running,
> I see all my audit logs go out on the console,
> When I start auditd service they go to the appropriate log file.
> Is there a way to turn this off in the kernel?
>
Simplest fix:
sed -ibackup -e 's/KLOGD_OPTIONS=\"-x\"/KLOGD_OPTIONS="-x -c 2"/'
/etc/sysconfig/syslog
--
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2007-08-03 19:10 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2007-08-03 18:26 Audit messages on console Ameel Kamboh
2007-08-03 18:54 ` Timothy R. Chavez
2007-08-03 19:08 ` Timothy R. Chavez
2007-08-03 19:10 ` Stephen John Smoogen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.