RHEL7 audispd syslog journal question
Boyce, Kevin P [US] (AS)
Kevin.Boyce at ngc.com
Tue Jun 11 12:14:30 UTC 2019
Does anyone have any ideas how to prevent the journal from filling up with events that come from audispd?
There is a double penalty due to this and it really slows down my system with a lot of rules in place.
I have audispd syslog plugin enabled to send remotely as LOG_LOCAL5.
Auditd is also writing output to /var/log/audit/audit.log.
If you do journalctl -u auditd you also see copies of the syslog events. Is there any way to prevent this behavior?
I did find this RedHat page but it doesn't really sound like a good solution, having to modify selinux policy.
https://bugzilla.redhat.com/show_bug.cgi?id=1419388
Thanks,
Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20190611/4331cbe1/attachment.htm>
More information about the Linux-audit
mailing list