All of lore.kernel.org
 help / color / mirror / Atom feed
* Audit messages on console
@ 2007-08-03 18:26 Ameel Kamboh
  2007-08-03 18:54 ` Timothy R. Chavez
  2007-08-03 19:10 ` Stephen John Smoogen
  0 siblings, 2 replies; 4+ messages in thread
From: Ameel Kamboh @ 2007-08-03 18:26 UTC (permalink / raw)
  To: linux-audit


[-- Attachment #1.1: Type: text/plain, Size: 799 bytes --]

I notice that if the auditd service is not running,
I see all my audit logs go out on the console,
When I start auditd service they go to the appropriate log file.
Is there a way to turn this off in the kernel?

Below is my auditd.conf file:

log_file = /var/log/audit/audit.log
log_format = RAW
priority_boost = 3
flush = INCREMENTAL
freq = 20
num_logs = 10
max_log_file = 50
max_log_file_action = ROTATE
space_left = 750
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 250
admin_space_left_action = SYSLOG
disk_full_action = SYSLOG
dispatcher = /usr/sbin/SnareDispatcher /sbin/auditspd

Ameel Kamboh
SIP Core Network and Security 
Phone: 972.685.4922 (esn 445-4922)
Mobile: 978-590-2280
SIP: akamboh@techtrial.com
email: akamboh@nortel.com




[-- Attachment #1.2: Type: text/html, Size: 2791 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Audit messages on console
  2007-08-03 18:26 Audit messages on console Ameel Kamboh
@ 2007-08-03 18:54 ` Timothy R. Chavez
  2007-08-03 19:08   ` Timothy R. Chavez
  2007-08-03 19:10 ` Stephen John Smoogen
  1 sibling, 1 reply; 4+ messages in thread
From: Timothy R. Chavez @ 2007-08-03 18:54 UTC (permalink / raw)
  To: Ameel Kamboh; +Cc: linux-audit

On Fri, 2007-08-03 at 13:26 -0500, Ameel Kamboh wrote:
> I notice that if the auditd service is not running, 
> I see all my audit logs go out on the console, 
> When I start auditd service they go to the appropriate log file. 
> Is there a way to turn this off in the kernel?
> 

Hi Ameel,

If audit is enabled, but auditd isn't running, the audit records will be
delivered to userspace via printk (KERN_NOTICE <5>).  So perhaps you'll
just need to edit /etc/sysconfig and route kern.5 accordingly?  If you
do not wish to generate (nor receive) audit records while auditd is
stopped, disable audit like so,

auditctl -e 0

-tim

> Below is my auditd.conf file:
> 
> log_file = /var/log/audit/audit.log 
> log_format = RAW 
> priority_boost = 3 
> flush = INCREMENTAL 
> freq = 20 
> num_logs = 10 
> max_log_file = 50 
> max_log_file_action = ROTATE 
> space_left = 750 
> space_left_action = SYSLOG 
> action_mail_acct = root 
> admin_space_left = 250 
> admin_space_left_action = SYSLOG 
> disk_full_action = SYSLOG 
> dispatcher = /usr/sbin/SnareDispatcher /sbin/auditspd
> 
> Ameel Kamboh 
> SIP Core Network and Security  
> Phone: 972.685.4922 (esn 445-4922) 
> Mobile: 978-590-2280 
> SIP: akamboh@techtrial.com 
> email: akamboh@nortel.com

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Audit messages on console
  2007-08-03 18:54 ` Timothy R. Chavez
@ 2007-08-03 19:08   ` Timothy R. Chavez
  0 siblings, 0 replies; 4+ messages in thread
From: Timothy R. Chavez @ 2007-08-03 19:08 UTC (permalink / raw)
  To: Ameel Kamboh; +Cc: linux-audit

On Fri, 2007-08-03 at 13:54 -0500, Timothy R. Chavez wrote:
> On Fri, 2007-08-03 at 13:26 -0500, Ameel Kamboh wrote:
> > I notice that if the auditd service is not running, 
> > I see all my audit logs go out on the console, 
> > When I start auditd service they go to the appropriate log file. 
> > Is there a way to turn this off in the kernel?
> > 
> 
> Hi Ameel,
> 
> If audit is enabled, but auditd isn't running, the audit records will be
> delivered to userspace via printk (KERN_NOTICE <5>).  So perhaps you'll
> just need to edit /etc/sysconfig and route kern.5 accordingly?  If you

Erm, /etc/syslog.conf

-tim

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Audit messages on console
  2007-08-03 18:26 Audit messages on console Ameel Kamboh
  2007-08-03 18:54 ` Timothy R. Chavez
@ 2007-08-03 19:10 ` Stephen John Smoogen
  1 sibling, 0 replies; 4+ messages in thread
From: Stephen John Smoogen @ 2007-08-03 19:10 UTC (permalink / raw)
  To: Ameel Kamboh; +Cc: linux-audit

On 8/3/07, Ameel Kamboh <akamboh@nortel.com> wrote:
>
>
>
> I notice that if the auditd service is not running,
> I see all my audit logs go out on the console,
> When I start auditd service they go to the appropriate log file.
> Is there a way to turn this off in the kernel?
>


Simplest fix:

sed -ibackup -e 's/KLOGD_OPTIONS=\"-x\"/KLOGD_OPTIONS="-x -c 2"/'
/etc/sysconfig/syslog



-- 
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2007-08-03 19:10 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2007-08-03 18:26 Audit messages on console Ameel Kamboh
2007-08-03 18:54 ` Timothy R. Chavez
2007-08-03 19:08   ` Timothy R. Chavez
2007-08-03 19:10 ` Stephen John Smoogen

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.