Silencing auditd in fedora22
Alex Regan
mysqlstudent at gmail.com
Sun Jul 19 21:31:35 UTC 2015
Hi,
>> Since upgrading from fedora22, auditd is drowning /var/log/messages
>> with useless information such as this:
>>
>> Jul 18 19:02:19 orion audit: <audit-2404> pid=6002 uid=0
>> auid=4294967295 ses=4294967295 msg='op=destroy kind=server
>> fp=SHA256:b5:7b:76:df:38:16:f3:f5:cd:2f:67:54:9a:2e:68:15:ae:9c:40:50:4f:6d:81:43:0d:54:bd:e2:c5:a0:43:7f
>>
>> direction=? spid=6002 suid=0 exe="/usr/sbin/sshd" hostname=?
>> addr=64.1.XX.18 terminal=? res=success'
>>
>> I've enabled rsyslog because the logs are so much easier to access,
>> but I'm not using auditd so would like to just turn it off.
>>
> /etc/rsyslog.conf BEFORE:
> *.info;mail.none;authpriv.none;cron.none /var/log/messages
>
> add:
> if $programname == 'audit' then {
> action(type="omfile" file="/var/log/kernel.audit.log")
> # if $syslogseverity >= 4 then stop # warning
> if $syslogseverity >= 5 then stop # notice
> # if $syslogseverity >= 6 then stop # info
> }
Very helpful, thanks.
>> Ideas for using journalctl to show me the following would be appreciated:
>>
>> - start at the end of the log
>> - use shortened hostname
>> - shows only info in the former /var/log/maillog or /var/log/messages
>> - piped through a searchable pager
>>
>> Typing "less /var/log/maillog" requires far less typing, more easily
>> remembered, and is easily searchable.
>>
> Even easier:
> alias fmail='/usr/bin/tail -f /var/log/maillog'
> alias lmail='/usr/bin/less /var/log/maillog'
>
> Now try:
> fmail
> lmail
Yes, of course. I was referring to journalctl shortcuts (equivalents)
here. Ideas still welcome :-)
thanks,
alex
More information about the users
mailing list