Saturday 27 August 2016

Audit tip

There's a thing that runs on your Fedora server that's auditing everything that happens; this can be great for security. But because of the way it works, it not only logs to the audit file, it also logs to the system log. That's the thing in /var/log/messages that is so useful for working out what's gone wrong when you tried to start up the name server.

The problem is, by the time you look at /var/log/messages to diagnose your nameserver problem, it's full of audit messages, and the ones you want to see have god scrolled up.

So here's what you do.

Edit /etc/rsyslog.conf and add

if $msg contains 'audit' or  $programname contains 'audit' then /var/log/myauditlog
if $msg contains 'audit' or $programname contains 'audit' then stop

Then restart the system log with

systemctl restart rsyslog

Hey presto! All the audit logs still go to the myauditlog file, but they don't clutter up the main system log!

No comments:

Post a Comment