Having recently updated to FC4 and then to rawhide, I am now getting lots of messages on any console of the form:
audit(1120021201.349:0): user pid=xxxx uid=0 length=100 msg='PAM accounting: user=root exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron result=Success)'
These also show up in /var/log/messages, and are thus picked up by logwatch.
How do I tell the system to stop wasting my time with notifications about normal operations?
On Thursday 30 June 2005 07:51, David D. Hagood wrote:
These also show up in /var/log/messages, and are thus picked up by logwatch.
You can disable auditing, but you won't get complete SE Linux avc denial information. This is done with audit=0 boot param, or auditctl -e 0.
The alternative is to install the audit package which will pick up these messages and deposit them in /var/log/audit/audit.log. This keeps them out of /var/log/messages.
-Steve
Steve Grubb wrote:
The alternative is to install the audit package which will pick up these messages and deposit them in /var/log/audit/audit.log. This keeps them out of /var/log/messages.
OK, will do - thanks.
This is one thing I would advise those working on logging systems, like Logwatch and audit, to keep in mind:
Logging everything is good, but needlessly bothering root about trivial stuff just buries the important messages in the noise.
On Thursday 30 June 2005 08:03, David D. Hagood wrote:
Logging everything is good, but needlessly bothering root about trivial stuff just buries the important messages in the noise.
This is required for CAPP compliant auditing. We are logging only the minimum. There will probably be a default set of rules distributed with the audit package that can be installed by the admin to increase the amount of information collected.
Also, if you truly do not want to keep audit messages, you can minimize the disk space used by editing /etc/auditd.conf and setting max_log_file to 1 and num_logs = 2. This will occupy 2 MB of disk space.
-Steve
Steve Grubb wrote:
On Thursday 30 June 2005 08:03, David D. Hagood wrote:
Logging everything is good, but needlessly bothering root about trivial stuff just buries the important messages in the noise.
This is required for CAPP compliant auditing. We are logging only the minimum.
I'm complaining about the information being logged to a file - far from it: logging GOOD!
However, I would suggest that, by default, such messages NOT be sent to the console, and by default they be excluded from things like the Logwatch summary email.
Of course, changing Logwatch is more for an upstream issue, but.
On Thu, Jun 30, 2005 at 10:58:38AM -0500, David D. Hagood wrote:
I'm complaining about the information being logged to a file - far from it: logging GOOD!
See comments to https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161533
Michal
On Thursday 30 June 2005 07:51, David D. Hagood wrote:
Having recently updated to FC4 and then to rawhide, I am now getting lots of messages on any console of the form:
Also, its a kernel bug that these hit the console. A patch for this has been created in the audit test kernels. I don't know if the patch has been put into rawhide or FC4 kernels.
-Steve