f26 logwatch users: audit report tons of messages? - users - Fedora mailing-lists

30 Aug 2017


      Per [1], I was seeing tons of audit messages listed in logwatch reports.
(My patch fixes that, btw.)  My actual question is why I wasn't seeing
those messages in my old (old) F20 logwatch reports, but did see:
--------------------- Kernel Audit Begin ------------------------
**Unmatched Entries**
   enabled 0
   flag 1
   pid 0
   rate_limit 0
   backlog_limit 320
   lost 0
   backlog 0
   backlog_wait_time 60000
instead.  Is this your experience, that some upgrade started giving
tons of audit messages?
I think that previously, when logwatch looked at the logfiles, it was
misconfigured to not use /var/log/audit/audit.log, but instead:
LogFile = modsecurity2/modsec_audit.log
and what I saw came from /var/log/messages (not sure why).  Now
logwatch looks at the journal (that's the format of the lines I see)
and is actually able to report audit issues.
[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1231364
-- 
____________________________________________________________________
TonyN.:'                       mailto:tonynelson@georgeanelson.com
       '                              http://www.georgeanelson.com/