How to surpress audit daemon rotating log messages?

8,493

Out of the box, auditd rotates after 6 MiB are written to /var/log/audit/audit.log.

Thus, when auditd issues its rotate log messages to often, it may be a sign that an unusual amount of audit log messages are produced.

Then it is likely that a SELinux policy is missing or needs to be extended (cf. audit2why/audit2allow). Another cause can be mis-labeled files (cf. restorecon).

Alternatively, the amount of audit logs may also be caused by normal activity, just because it is a busy system. In that case it may make sense to increase the rotate size limit in (/etc/audit/auditd.conf).

Beside that, auditd logs those message with syslog severity 'NOTICE' - i.e. they do not turn up in journalctl output when matching only higher levels. But be aware that auditd also uses severity NOTICE for more serious messages (including some error conditions).

Share:
8,493

Related videos on Youtube

maxschlepzig
Author by

maxschlepzig

My name is Georg Sauthoff. 'Max Schlepzig' is just a silly old pseudonym (I am hesitant to change it because existing @-replies will not be updated) I studied computer science In my current line of work, I work on trading system software and thus care about low-latency

Updated on September 18, 2022

Comments

  • maxschlepzig
    maxschlepzig over 1 year

    On a CentOS 7 system messages like these are logged several times a day:

    Sep 24 00:11:42 example.org auditd[756]: Audit daemon rotating log files
    Sep 24 00:26:23 example.org auditd[756]: Audit daemon rotating log files
    

    (they show up e.g. when executing journalctl -fa)

    Well, I don't really see the point in those messages. I mean, exactly how it is important that auditd is reporting that it is (again and regularly) rotating its log files.

    Thus my question how to disable those kind of log messages.