Does anyone have any ideas how to prevent the journal from filling up with events that come from audispd?
There is a double penalty due to this and it really slows down my system with a lot of rules in place. I have audispd syslog plugin enabled to send remotely as LOG_LOCAL5. Auditd is also writing output to /var/log/audit/audit.log. If you do journalctl -u auditd you also see copies of the syslog events. Is there any way to prevent this behavior? I did find this RedHat page but it doesn't really sound like a good solution, having to modify selinux policy. https://bugzilla.redhat.com/show_bug.cgi?id=1419388 Thanks, Kevin
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
