[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: wierd audit problems on one RHEL ES4 box

Steve Grubb wrote:
On Thursday 12 April 2007 10:08, Bill Tangren wrote:
Any ideas what is wrong?

If auditd process is not running, you may need to delete anything with auditd in its name in the /var/run directory.


After reboot, there is now nothing in /var/run with audit, or even au in the name. The service is stopped, and I cannot start it. Starting just fails.

I noticed that auditd stopped writing to /var/log/audit/audit.log a few hours before the log was rotated. Rotation failed. Auditing has since been putting its output in /var/log/messages, even though auditd is not running, though "ps aux" shows

 root      2242  0.0  0.0     0    0 ?        S<   Apr12   0:00 [kauditd]

I think the problem is that auditd cannot write to the log, but I don't know why. The permissions on the log seems to be the same as on other systems I run. The directory permission was 700, where it is 750 on other systems, but changing it to 750 didn't help.

Any other ideas?

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]