Silencing auditd in fedora22
Bill Shirley
bshirley at memphis.apirx.biz
Sun Jul 19 18:28:43 UTC 2015
On 7/18/2015 7:08 PM, Alex wrote:
> Hi,
> Since upgrading from fedora22, auditd is drowning /var/log/messages
> with useless information such as this:
>
> Jul 18 19:02:19 orion audit: <audit-2404> pid=6002 uid=0
> auid=4294967295 ses=4294967295 msg='op=destroy kind=server
> fp=SHA256:b5:7b:76:df:38:16:f3:f5:cd:2f:67:54:9a:2e:68:15:ae:9c:40:50:4f:6d:81:43:0d:54:bd:e2:c5:a0:43:7f
> direction=? spid=6002 suid=0 exe="/usr/sbin/sshd" hostname=?
> addr=64.1.XX.18 terminal=? res=success'
>
> I've enabled rsyslog because the logs are so much easier to access,
> but I'm not using auditd so would like to just turn it off.
>
/etc/rsyslog.conf BEFORE:
*.info;mail.none;authpriv.none;cron.none /var/log/messages
add:
if $programname == 'audit' then {
action(type="omfile" file="/var/log/kernel.audit.log")
# if $syslogseverity >= 4 then stop # warning
if $syslogseverity >= 5 then stop # notice
# if $syslogseverity >= 6 then stop # info
}
/etc/logrotate.d/syslog add:
/var/log/kernel.audit.log
> Ideas for using journalctl to show me the following would be appreciated:
>
> - start at the end of the log
> - use shortened hostname
> - shows only info in the former /var/log/maillog or /var/log/messages
> - piped through a searchable pager
>
> Typing "less /var/log/maillog" requires far less typing, more easily
> remembered, and is easily searchable.
>
Even easier:
alias fmail='/usr/bin/tail -f /var/log/maillog'
alias lmail='/usr/bin/less /var/log/maillog'
Now try:
fmail
lmail
add the aliases to ~/.bashrc to always have them available.
> Thanks,
> Alex
>
Bill
More information about the users
mailing list