Unable to start auditd
Solution 1
It appears the kernel I am using 2.6.32-042stab056.8 SMP
which comes packaged with OpenVZ does not support auditd.
Solution 2
Error setting audit daemon pid (Connection refused)
Looks like it is unable to write the pid file (usually in /var/run). Make sure that the daemon has permissions to write to that directory to write the pid file.
Related videos on Youtube
George Reith
Updated on September 18, 2022Comments
-
George Reith almost 2 years
I am on CentOS 5.8 final
I recently installed
auditd
viayum install audit
however I am unable to start it.I edited the configuration file to give a verbose output of the error it is recieving in starting up and this is the output:
# service auditd start Starting auditd: Config file /etc/audit/auditd.conf opened for parsing log_file_parser called with: /var/log/audit/audit.log log_format_parser called with: RAW log_group_parser called with: root priority_boost_parser called with: 4 flush_parser called with: INCREMENTAL freq_parser called with: 20 num_logs_parser called with: 4 qos_parser called with: lossy dispatch_parser called with: /sbin/audispd name_format_parser called with: NONE max_log_size_parser called with: 5 max_log_size_action_parser called with: ROTATE space_left_parser called with: 75 space_action_parser called with: SYSLOG action_mail_acct_parser called with: root admin_space_left_parser called with: 50 admin_space_left_action_parser called with: SUSPEND disk_full_action_parser called with: SUSPEND disk_error_action_parser called with: SUSPEND tcp_listen_queue_parser called with: 5 tcp_max_per_addr_parser called with: 1 tcp_client_max_idle_parser called with: 0 enable_krb5_parser called with: no GSSAPI support is not enabled, ignoring value at line 30 krb5_principal_parser called with: auditd GSSAPI support is not enabled, ignoring value at line 31 Started dispatcher: /sbin/audispd pid: 3097 type=DAEMON_START msg=audit(1339336882.187:9205): auditd start, ver=1.8 format=raw kernel=2.6.32-042stab056.8 auid=4294967295 pid=3095 res=success config_manager init complete Error setting audit daemon pid (Connection refused) type=DAEMON_ABORT msg=audit(1339336882.189:9206): auditd error halt, auid=4294967295 pid=3095 res=failed Unable to set audit pid, exiting The audit daemon is exiting. Error setting audit daemon pid (Connection refused) [FAILED]
The only information I can find online is that this may be due to SELinux, however SELinux is giving me problems of it's own. No matter what I do it appears to be disabled (I want to enable it). The configuration is set to
enforced
and the server has been rebooted many a time howeversestatus
still returnsSELinux status: disabled
.Can anyone shine some light on this problem?
EDIT: I don't know if it is related but I noticed the following message appearing in my
/var/log/messages
Jun 10 16:25:22 s1 iscsid: iSCSI logger with pid=2056 started! Jun 10 16:25:22 s1 iscsid: Missing or Invalid version from /sys/module/scsi_transport_iscsi/version. Make sure a up to date scsi_transport_iscsi module is loaded and a up todate version of iscsid is running. Exiting...
I try to start the iSCSI daemon myself (I have not a clue what it does; I am a linux newbie) and I get the following error:
Starting iSCSI daemon: FATAL: Could not load /lib/modules/2.6.32-042stab056.8/modules.dep: No such file or directory FATAL: Could not load /lib/modules/2.6.32-042stab056.8/modules.dep: No such file or directory FATAL: Could not load /lib/modules/2.6.32-042stab056.8/modules.dep: No such file or directory FATAL: Could not load /lib/modules/2.6.32-042stab056.8/modules.dep: No such file or directory FATAL: Could not load /lib/modules/2.6.32-042stab056.8/modules.dep: No such file or directory [FAILED]
If I go to
/lib/modules/
I notice the directory exists but is completely empty. -
George Reith about 12 yearsThanks, there is no auditd folder in
/var/run
and I am wary of editing the permissions of the/var/run
folder as google assures me they are set for a good reason. Shouldn't it be running asroot
?