On Fri, 2007-08-03 at 13:26 -0500, Ameel Kamboh wrote: > I notice that if the auditd service is not running, > I see all my audit logs go out on the console, > When I start auditd service they go to the appropriate log file. > Is there a way to turn this off in the kernel? >
Hi Ameel, If audit is enabled, but auditd isn't running, the audit records will be delivered to userspace via printk (KERN_NOTICE <5>). So perhaps you'll just need to edit /etc/sysconfig and route kern.5 accordingly? If you do not wish to generate (nor receive) audit records while auditd is stopped, disable audit like so, auditctl -e 0 -tim > Below is my auditd.conf file: > > log_file = /var/log/audit/audit.log > log_format = RAW > priority_boost = 3 > flush = INCREMENTAL > freq = 20 > num_logs = 10 > max_log_file = 50 > max_log_file_action = ROTATE > space_left = 750 > space_left_action = SYSLOG > action_mail_acct = root > admin_space_left = 250 > admin_space_left_action = SYSLOG > disk_full_action = SYSLOG > dispatcher = /usr/sbin/SnareDispatcher /sbin/auditspd > > Ameel Kamboh > SIP Core Network and Security > Phone: 972.685.4922 (esn 445-4922) > Mobile: 978-590-2280 > SIP: [EMAIL PROTECTED] > email: [EMAIL PROTECTED] -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
