What are your free and admin space requirements in /etc/auditd.conf? David A. Kirkwood SAIC
[EMAIL PROTECTED] [EMAIL PROTECTED] Phone: (727) 502-8310 Fax: (727) 822-7776 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Tangren Sent: Friday, April 13, 2007 10:27 AM Cc: [EMAIL PROTECTED] Subject: Re: wierd audit problems on one RHEL ES4 box Steve Grubb wrote: > On Thursday 12 April 2007 10:08, Bill Tangren wrote: >> Any ideas what is wrong? > > If auditd process is not running, you may need to delete anything with auditd > in its name in the /var/run directory. > > -Steve > After reboot, there is now nothing in /var/run with audit, or even au in the name. The service is stopped, and I cannot start it. Starting just fails. I noticed that auditd stopped writing to /var/log/audit/audit.log a few hours before the log was rotated. Rotation failed. Auditing has since been putting its output in /var/log/messages, even though auditd is not running, though "ps aux" shows root 2242 0.0 0.0 0 0 ? S< Apr12 0:00 [kauditd] I think the problem is that auditd cannot write to the log, but I don't know why. The permissions on the log seems to be the same as on other systems I run. The directory permission was 700, where it is 750 on other systems, but changing it to 750 didn't help. Any other ideas? -- Linux-audit mailing list [EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list [EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/linux-audit
