Double addition of rule yields two log messages

Linda Knippers linda.knippers at hp.com
Fri May 19 19:28:18 UTC 2006


Steve Grubb wrote:
> On Friday 19 May 2006 14:47, Linda Knippers wrote:
> 
>>But why does ausearch care?
> 
> Ausearch doesn't care about this particular setting. Its looking at the config 
> to find the log files. The parser is what cares and it is what emitted this 
> warning. 

But why is it even a warning of the freq value is only valid if flush
is set to incremental?

> As such, you can use ausearch to make sure your config is sane 
> before sending sighup to reconfigure the audit daemon.

Sounds like an odd use of ausearch.

>>Seems like if anything cared it would be the auditd but I can't find an
>>error or warning from it anywhere.
> 
> Should be in the syslog.

I see it after doing a HUP and when doing an /etc/init.d/auditd restart
but not when auditd starts at boot time.

-- ljk





More information about the Linux-audit mailing list