Kay Mccormick
2018-12-03 07:13:43 UTC
I am trying to log only to a remote machine so I have set:
write_logs = no
in my auditd.conf. Unfortunately, when I restart auditd it does not appear
to respect my configuration choice.
When I run it with 'auditd -f' to keep it in the foreground, it does not
write the file and i see :
write_logs_parser called with: no
in the output.
Looking at the source, I see:
if (opt_foreground) {
config.daemonize = D_FOREGROUND;
set_aumessage_mode(MSG_STDERR, DBG_YES);
} else {
config.daemonize = D_BACKGROUND;
set_aumessage_mode(MSG_SYSLOG, DBG_NO);
(void) umask( umask( 077 ) | 022 );
}
It seems I cannot get messages logged with LOG_DEBUG without running in
foreground mode (in which case the bug does not appear to be triggered) or
recompiling auditd.
I have included the output of auditd -f and also my auditd.conf.
write_logs = no
in my auditd.conf. Unfortunately, when I restart auditd it does not appear
to respect my configuration choice.
When I run it with 'auditd -f' to keep it in the foreground, it does not
write the file and i see :
write_logs_parser called with: no
in the output.
Looking at the source, I see:
if (opt_foreground) {
config.daemonize = D_FOREGROUND;
set_aumessage_mode(MSG_STDERR, DBG_YES);
} else {
config.daemonize = D_BACKGROUND;
set_aumessage_mode(MSG_SYSLOG, DBG_NO);
(void) umask( umask( 077 ) | 022 );
}
It seems I cannot get messages logged with LOG_DEBUG without running in
foreground mode (in which case the bug does not appear to be triggered) or
recompiling auditd.
I have included the output of auditd -f and also my auditd.conf.