Hi, Since upgrading from fedora22, auditd is drowning /var/log/messages with useless information such as this:
Jul 18 19:02:19 orion audit: <audit-2404> pid=6002 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:b5:7b:76:df:38:16:f3:f5:cd:2f:67:54:9a:2e:68:15:ae:9c:40:50:4f:6d:81:43:0d:54:bd:e2:c5:a0:43:7f direction=? spid=6002 suid=0 exe="/usr/sbin/sshd" hostname=? addr=64.1.XX.18 terminal=? res=success'
I've enabled rsyslog because the logs are so much easier to access, but I'm not using auditd so would like to just turn it off.
Ideas for using journalctl to show me the following would be appreciated:
- start at the end of the log - use shortened hostname - shows only info in the former /var/log/maillog or /var/log/messages - piped through a searchable pager
Typing "less /var/log/maillog" requires far less typing, more easily remembered, and is easily searchable.
Thanks, Alex
On Sat, 18 Jul 2015 19:08:20 -0400 Alex wrote:
I've enabled rsyslog because the logs are so much easier to access, but I'm not using auditd so would like to just turn it off.
stick audit=0 on the kernel command line options in grub.cfg, disable the auditd service (or uninstall it). That's worked for me in the past, hopefully it still works.
On 07/18/2015 06:08 PM, Alex wrote:
Hi, Since upgrading from fedora22, auditd is drowning /var/log/messages with useless information such as this:
Jul 18 19:02:19 orion audit: <audit-2404> pid=6002 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:b5:7b:76:df:38:16:f3:f5:cd:2f:67:54:9a:2e:68:15:ae:9c:40:50:4f:6d:81:43:0d:54:bd:e2:c5:a0:43:7f direction=? spid=6002 suid=0 exe="/usr/sbin/sshd" hostname=? addr=64.1.XX.18 terminal=? res=success'
I've enabled rsyslog because the logs are so much easier to access, but I'm not using auditd so would like to just turn it off.
In another thread some one said they added audit=0 to grub.cfg and rebooted. I have done the same about a week ago with no apparent problems. You can also use the command: autditctl -e 0 to turn it off for current running kernel.
David
Ideas for using journalctl to show me the following would be appreciated:
- start at the end of the log
- use shortened hostname
- shows only info in the former /var/log/maillog or /var/log/messages
- piped through a searchable pager
Typing "less /var/log/maillog" requires far less typing, more easily remembered, and is easily searchable.
Thanks, Alex
Hi,
Since upgrading from fedora22, auditd is drowning /var/log/messages with useless information such as this:
Jul 18 19:02:19 orion audit: <audit-2404> pid=6002 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:b5:7b:76:df:38:16:f3:f5:cd:2f:67:54:9a:2e:68:15:ae:9c:40:50:4f:6d:81:43:0d:54:bd:e2:c5:a0:43:7f
direction=? spid=6002 suid=0 exe="/usr/sbin/sshd" hostname=? addr=64.1.XX.18 terminal=? res=success'
I've enabled rsyslog because the logs are so much easier to access, but I'm not using auditd so would like to just turn it off.
In another thread some one said they added audit=0 to grub.cfg and rebooted. I have done the same about a week ago with no apparent problems. You can also use the command: autditctl -e 0 to turn it off for current running kernel.
Great, thanks for the info.
Thanks, Alex
On 7/18/2015 7:08 PM, Alex wrote:
Hi, Since upgrading from fedora22, auditd is drowning /var/log/messages with useless information such as this:
Jul 18 19:02:19 orion audit: <audit-2404> pid=6002 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:b5:7b:76:df:38:16:f3:f5:cd:2f:67:54:9a:2e:68:15:ae:9c:40:50:4f:6d:81:43:0d:54:bd:e2:c5:a0:43:7f direction=? spid=6002 suid=0 exe="/usr/sbin/sshd" hostname=? addr=64.1.XX.18 terminal=? res=success'
I've enabled rsyslog because the logs are so much easier to access, but I'm not using auditd so would like to just turn it off.
/etc/rsyslog.conf BEFORE: *.info;mail.none;authpriv.none;cron.none /var/log/messages
add: if $programname == 'audit' then { action(type="omfile" file="/var/log/kernel.audit.log") # if $syslogseverity >= 4 then stop # warning if $syslogseverity >= 5 then stop # notice # if $syslogseverity >= 6 then stop # info }
/etc/logrotate.d/syslog add: /var/log/kernel.audit.log
Ideas for using journalctl to show me the following would be appreciated:
- start at the end of the log
- use shortened hostname
- shows only info in the former /var/log/maillog or /var/log/messages
- piped through a searchable pager
Typing "less /var/log/maillog" requires far less typing, more easily remembered, and is easily searchable.
Even easier: alias fmail='/usr/bin/tail -f /var/log/maillog' alias lmail='/usr/bin/less /var/log/maillog'
Now try: fmail lmail
add the aliases to ~/.bashrc to always have them available.
Thanks, Alex
Bill
Hi,
Since upgrading from fedora22, auditd is drowning /var/log/messages with useless information such as this:
Jul 18 19:02:19 orion audit: <audit-2404> pid=6002 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:b5:7b:76:df:38:16:f3:f5:cd:2f:67:54:9a:2e:68:15:ae:9c:40:50:4f:6d:81:43:0d:54:bd:e2:c5:a0:43:7f
direction=? spid=6002 suid=0 exe="/usr/sbin/sshd" hostname=? addr=64.1.XX.18 terminal=? res=success'
I've enabled rsyslog because the logs are so much easier to access, but I'm not using auditd so would like to just turn it off.
/etc/rsyslog.conf BEFORE: *.info;mail.none;authpriv.none;cron.none /var/log/messages
add: if $programname == 'audit' then { action(type="omfile" file="/var/log/kernel.audit.log") # if $syslogseverity >= 4 then stop # warning if $syslogseverity >= 5 then stop # notice # if $syslogseverity >= 6 then stop # info }
Very helpful, thanks.
Ideas for using journalctl to show me the following would be appreciated:
- start at the end of the log
- use shortened hostname
- shows only info in the former /var/log/maillog or /var/log/messages
- piped through a searchable pager
Typing "less /var/log/maillog" requires far less typing, more easily remembered, and is easily searchable.
Even easier: alias fmail='/usr/bin/tail -f /var/log/maillog' alias lmail='/usr/bin/less /var/log/maillog'
Now try: fmail lmail
Yes, of course. I was referring to journalctl shortcuts (equivalents) here. Ideas still welcome :-)
thanks, alex