* "write_logs = no" not working
@ 2017-03-06 2:38 Ian Pilcher
2017-03-06 13:34 ` Steve Grubb
0 siblings, 1 reply; 6+ messages in thread
From: Ian Pilcher @ 2017-03-06 2:38 UTC (permalink / raw
To: linux-audit
I have a Banana Pi-based firewall system, which runs off a micro-SD
card and sends all of its logs (including audit events) to a syslog
server.
I have set "write_logs = no" in /etc/audit/auditd.conf, but the local
log file is still being written. (Commenting out the log_file line
causes auditd to abort.)
What do I need to do to disable writing the local file?
(This is audit 2.6.5 on CentOS 7.)
--
========================================================================
Ian Pilcher arequipeno@gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================
^ permalink raw reply [flat|nested] 6+ messages in thread
* "write_logs = no" not working
@ 2017-03-06 3:22 Ian Pilcher
2017-03-06 4:22 ` Stephen Buchanan
0 siblings, 1 reply; 6+ messages in thread
From: Ian Pilcher @ 2017-03-06 3:22 UTC (permalink / raw
To: linux-audit
(Apologies if this is a duplicate. gmane doesn't seem to be working.)
I have a Banana Pi-based firewall system, which runs off a micro-SD
card and sends all of its logs (including audit events) to a syslog
server.
I have set "write_logs = no" in /etc/audit/auditd.conf, but the local
log file is still being written. (Commenting out the log_file line
causes auditd to abort.)
What do I need to do to disable writing the local file?
(This is audit 2.6.5 on CentOS 7.)
--
========================================================================
Ian Pilcher arequipeno@gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: "write_logs = no" not working
2017-03-06 3:22 Ian Pilcher
@ 2017-03-06 4:22 ` Stephen Buchanan
2017-03-06 4:33 ` Ian Pilcher
0 siblings, 1 reply; 6+ messages in thread
From: Stephen Buchanan @ 2017-03-06 4:22 UTC (permalink / raw
To: Ian Pilcher, linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 1247 bytes --]
I will leave the real debugging to the experts. but a possible workaround
until then would be to set:
num_logs = 2
max_log_file = 1
max_log_file_action = rotate
This will use a max of 3MB for three 1MB local files, which will be
rotated. Not zero, but a very minimal amount of local storage used.
On Sun, Mar 5, 2017 at 10:24 PM Ian Pilcher <arequipeno@gmail.com> wrote:
(Apologies if this is a duplicate. gmane doesn't seem to be working.)
I have a Banana Pi-based firewall system, which runs off a micro-SD
card and sends all of its logs (including audit events) to a syslog
server.
I have set "write_logs = no" in /etc/audit/auditd.conf, but the local
log file is still being written. (Commenting out the log_file line
causes auditd to abort.)
What do I need to do to disable writing the local file?
(This is audit 2.6.5 on CentOS 7.)
--
========================================================================
Ian Pilcher arequipeno@gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
[-- Attachment #1.2: Type: text/html, Size: 2556 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: "write_logs = no" not working
2017-03-06 4:22 ` Stephen Buchanan
@ 2017-03-06 4:33 ` Ian Pilcher
0 siblings, 0 replies; 6+ messages in thread
From: Ian Pilcher @ 2017-03-06 4:33 UTC (permalink / raw
To: Stephen Buchanan, linux-audit
On 03/05/2017 10:22 PM, Stephen Buchanan wrote:
> I will leave the real debugging to the experts. but a possible
> workaround until then would be to set:
>
> num_logs = 2
> max_log_file = 1
> max_log_file_action = rotate
>
> This will use a max of 3MB for three 1MB local files, which will be
> rotated. Not zero, but a very minimal amount of local storage used.
Unfortunately, it's not the amount of storage that's the issue. I'm
really trying to minimize the number of writes to the microSD card.
--
========================================================================
Ian Pilcher arequipeno@gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: "write_logs = no" not working
2017-03-06 2:38 "write_logs = no" not working Ian Pilcher
@ 2017-03-06 13:34 ` Steve Grubb
2017-03-06 20:57 ` Ian Pilcher
0 siblings, 1 reply; 6+ messages in thread
From: Steve Grubb @ 2017-03-06 13:34 UTC (permalink / raw
To: Ian Pilcher; +Cc: linux-audit
On Sun, 5 Mar 2017 20:38:51 -0600
Ian Pilcher <arequipeno@gmail.com> wrote:
> I have a Banana Pi-based firewall system, which runs off a micro-SD
> card and sends all of its logs (including audit events) to a syslog
> server.
>
> I have set "write_logs = no" in /etc/audit/auditd.conf, but the local
> log file is still being written. (Commenting out the log_file line
> causes auditd to abort.)
>
> What do I need to do to disable writing the local file?
>
> (This is audit 2.6.5 on CentOS 7.)
There was a z-stream audit package shipped last week that fixes this. I
suspect it hasn't worked its way through Centos just yet. You can pick
up the srpm in koji if you're in a hurry.
-Steve
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: "write_logs = no" not working
2017-03-06 13:34 ` Steve Grubb
@ 2017-03-06 20:57 ` Ian Pilcher
0 siblings, 0 replies; 6+ messages in thread
From: Ian Pilcher @ 2017-03-06 20:57 UTC (permalink / raw
To: linux-audit
On 03/06/2017 07:34 AM, Steve Grubb wrote:
> There was a z-stream audit package shipped last week that fixes this. I
> suspect it hasn't worked its way through Centos just yet. You can pick
> up the srpm in koji if you're in a hurry.
Building now (very slowly on a non-accelerated QEMU armv7 VM). It looks
like the update has made it to CentOS x86_64, but not ARM.
--
========================================================================
Ian Pilcher arequipeno@gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-03-06 20:57 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-03-06 2:38 "write_logs = no" not working Ian Pilcher
2017-03-06 13:34 ` Steve Grubb
2017-03-06 20:57 ` Ian Pilcher
-- strict thread matches above, loose matches on Subject: below --
2017-03-06 3:22 Ian Pilcher
2017-03-06 4:22 ` Stephen Buchanan
2017-03-06 4:33 ` Ian Pilcher
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.