If you're on a system using rsyslog, you can also leverage imfile and send it directly to a remote logserver.
rsyslog event queuing also handles interruptions in remote logging more gracefully than audispd syslog. On 06/04/2018 06:11 PM, Steve Grubb wrote: > On Monday, June 4, 2018 9:02:04 AM EDT Boyce, Kevin P [US] (AS) wrote: >> All, >> >> After enabling the syslog plugin for audispd and sending logs to a remote >> server I am seeing every event being written to /var/log/messages locally >> which is filling up /var. >> >> This is all redundant since local audit logs are kept in /var/log/audit. >> Is there a way to prevent auditd syslog plugin from writing to >> /var/log/messages? > That is pretty much what the plugin does. It writes all events to syslog > which based on rules in /etc/rsyslog.conf decides what to do with the text. > Typically it is to write everything to /var/log/messages. > > However, you can assign a specific facility to the audit events in the /etc/ > audisp/plugins.d/syslog.conf file and then in rsyslog.conf exclude the > facility by putting <facility>.none on the /var/log/messages line. > > -Steve > > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
