>>Speaking of ausearch, I just noticed that it emits this message: >>> >>> # /sbin/ausearch -m CONFIG_CHANGE -i >>> Warning - freq is non-zero and incremental flushing not selected. > > That comes from the config file parser. You've got a problem > in /etc/audit/auditd.conf that should be fixed.
Its true that my auditd.conf (which I don't think I've ever modified) has freq = 20 and flush = SYNC. I assume that SYNC means that freq is ignored. The manpage says freq is only valid if flush=incremental so it seems like an unnecessary warning. But why does ausearch care? Seems like if anything cared it would be the auditd but I can't find an error or warning from it anywhere. Seems really odd that this message comes from ausearch. -- ljk -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
