How to surpress audit daemon rotating log messages?
Out of the box, auditd rotates after 6 MiB are written to /var/log/audit/audit.log
.
Thus, when auditd issues its rotate log messages to often, it may be a sign that an unusual amount of audit log messages are produced.
Then it is likely that a SELinux policy is missing or needs to be extended (cf. audit2why/audit2allow). Another cause can be mis-labeled files (cf. restorecon).
Alternatively, the amount of audit logs may also be caused by normal activity, just because it is a busy system. In that case it may make sense to increase the rotate size limit in (/etc/audit/auditd.conf
).
Beside that, auditd logs those message with syslog severity 'NOTICE' - i.e. they do not turn up in journalctl
output when matching only higher levels. But be aware that auditd also uses severity NOTICE for more serious messages (including some error conditions).
Related videos on Youtube
maxschlepzig
My name is Georg Sauthoff. 'Max Schlepzig' is just a silly old pseudonym (I am hesitant to change it because existing @-replies will not be updated) I studied computer science In my current line of work, I work on trading system software and thus care about low-latency
Updated on September 18, 2022Comments
-
maxschlepzig over 1 year
On a CentOS 7 system messages like these are logged several times a day:
Sep 24 00:11:42 example.org auditd[756]: Audit daemon rotating log files Sep 24 00:26:23 example.org auditd[756]: Audit daemon rotating log files
(they show up e.g. when executing
journalctl -fa
)Well, I don't really see the point in those messages. I mean, exactly how it is important that auditd is reporting that it is (again and regularly) rotating its log files.
Thus my question how to disable those kind of log messages.