PLEASE HELP!! auditctl giving Invalid argument in redhat
 

hello
im running rhel 4 version 2.6.9-11.ELsmp
trying to audit files. just installed and ran auditctl.
when running this basic command:
auditctl -w /home/TestFile.doc -k test-file -p rwxa

i get the error:
Error sending watch insert request (Invalid argument)

i got the info above from:
http://www.cyberciti.biz/tips/linux-...to-a-file.html

they said the basic default /etc/audit.rules will work.

please can you help. im sure its something straight forward
thank you in advance
:)

When you start the audit daemon, the /etc/audit.rules file is read to specify what to audit. Try this, edit the /etc/audit.rules file and add:
Also, the kernel version you're running may be an issue as well. Some of the older kernels have issues with auditd. Since you're paying for RHEL support, you can get a kernel patch/update from the RedHat Network. Their support should be able to help you out.

TB0ne, thanks
i think its the kernel as i did the suggested and it still gave same issue?
# to auditctl.

# First rule - delete all
-D

# Increase the buffers to survive stress events
# Make this bigger for busy systems
-b 256

# Feel free to add below this line. See auditctl man page
-w /etc -p wa -k CFG_etc


Stopping auditd: [ OK ]
Starting auditd: [ OK ]
Error sending watch insert request (Invalid argument)
There was an error in line 14 of /etc/audit.rules


ive seen this on quite few forums. but as im no expert it might not be the kernel version...any idea?

Yep...gave you the ideas in my first post. Try the options, or update your kernel. The kernel is the most likely source of your error.

That bug is normally seen due to a kernel bug, in earlier kernels (like yours). As I said, RHEL has support/patches/updates for your kernel, that you can get via the RedHat Network (since you're paying for RHEL).

thanks for your help, im off to update my kernel...