On Tue, Oct 4, 2016 at 11:51 AM, Ryan Sawhill <[email protected]> wrote:
> On Tue, Oct 4, 2016 at 11:29 AM, leam hall <[email protected]> wrote: > >> If I put "audit.none" in /etc/rsyslog.conf for the /var/log/messages >> line, it prevents audisp from logging there even though audisp to syslog is >> turned on. >> > > I find that hard to believe, since "audit" is not a facility name and > that's what rsyslog is expecting and the message I wrote IS what rsyslog > prints when you give an invalid facility name, but okay. > I found it odd as well, but it does seem to work. > All that said, if you really want to send audit records to a central host, > I hope you've at least considered using auditd's own native functionality. > Wasn't aware of it. Pointer to a doc? Thanks! Leam -- Mind on a Mission <http://leamhall.blogspot.com/>
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
