Hey Ryan, If I put "audit.none" in /etc/rsyslog.conf for the /var/log/messages line, it prevents audisp from logging there even though audisp to syslog is turned on.
Our end state is pretty simple, in theory. We want to have 1 copy of audit events on the system for auditing and send a remote copy elsewhere. On Tue, Oct 4, 2016 at 11:04 AM, Ryan Sawhill <[email protected]> wrote: > On Tue, Oct 4, 2016 at 10:58 AM, leam hall <[email protected]> wrote: > >> Sort of a followup question. I'm surprised adding "audit.none" to the >> "/var/log/messages" line of rsyslog.conf (RHEL 6) works. I didn't think >> audit was a full "facility" in whatever rsyslog looks at. Am I more >> confused than normal? >> > > It's not. If you look at your main log you should see a message from > rsyslogd saying something like "unknown facility 'audit'". > -- Mind on a Mission <http://leamhall.blogspot.com/>
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
