LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
Reload this Page Debian 11 - audit logs in /var/log/auth.log
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 03-13-2023, 08:23 AM   #1
ktpmm17
LQ Newbie
 
Registered: Mar 2021
Posts: 6

Rep: Reputation: Disabled
Debian 11 - audit logs in /var/log/auth.log

I'm on a Debian 11 server and my audit logs are going into /var/log/audit/audit.log as well as in /var/log/auth.log. Needless to say, they are filling up my auth.log.... Below are my configs:
/etc/rsyslog.conf
kern.debug /var/log/kern.log
daemon.* /var/log/daemon.log
*.info;cron,auth,authpriv.none /var/log/syslog
cron.* /var/log/cron.log
user.* /var/log/user.log
auth,authpriv.* /var/log/auth.log

/etc/audit/auditd.conf
log_file = /var/log/audit.log

I'm at a bit of a loss here as to what to do. How do I get my audit logs to send to /var/log/audit/audit.log only?
Last edited by ktpmm17; 03-13-2023 at 09:02 AM. Reason: updated last line
 
Old 03-23-2023, 12:57 PM   #2
tmick
Member
 
Registered: Jun 2005
Location: North Dakota
Distribution: Debian Testing
Posts: 247

Rep: Reputation: 20
Have you tried editing auditd.conf?
 
Old 03-23-2023, 01:19 PM   #3
ktpmm17
LQ Newbie
 
Registered: Mar 2021
Posts: 6

Original Poster
Rep: Reputation: Disabled
Yes, auditd.conf is set to log to /var/log/audit/audit.log
 
Old 03-23-2023, 01:41 PM   #4
tmick
Member
 
Registered: Jun 2005
Location: North Dakota
Distribution: Debian Testing
Posts: 247

Rep: Reputation: 20
could you point the auth logs to the audit log?
 
Old 03-27-2023, 01:39 PM   #5
ktpmm17
LQ Newbie
 
Registered: Mar 2021
Posts: 6

Original Poster
Rep: Reputation: Disabled
We really don't want that. We are trying to get only auth logs in auth.log (which works) and audit logs in audit.log (currently they go into audit.log and auth.log).
 
Old 03-27-2023, 02:05 PM   #6
tmick
Member
 
Registered: Jun 2005
Location: North Dakota
Distribution: Debian Testing
Posts: 247

Rep: Reputation: 20
My guess is contacting Audit's devs and see if they have any suggestions. I'd be surprised if there a configuration setting somewhere that isn't documented well.
 
Old 03-28-2023, 04:25 AM   #7
ktpmm17
LQ Newbie
 
Registered: Mar 2021
Posts: 6

Original Poster
Rep: Reputation: Disabled
Good idea. Any idea where/how I'd find them? Searched for auditd forums and on github with no luck.
 
Old 03-28-2023, 11:26 AM   #8
tmick
Member
 
Registered: Jun 2005
Location: North Dakota
Distribution: Debian Testing
Posts: 247

Rep: Reputation: 20
https://people.redhat.com/sgrubb/audit/ is what synaptic says for a homepage
 
Old 06-26-2023, 11:37 AM   #9
spiralarms
LQ Newbie
 
Registered: Jun 2023
Posts: 2

Rep: Reputation: 0
Quote:
Originally Posted by ktpmm17 View Post
I'm on a Debian 11 server and my audit logs are going into /var/log/audit/audit.log as well as in /var/log/auth.log. Needless to say, they are filling up my auth.log....

I'm at a bit of a loss here as to what to do. How do I get my audit logs to send to /var/log/audit/audit.log only?
Did you ever get a solution to this? I seem to be in the same boat, but running Ubuntu 20.04.6. My config is similar to yours.

Thanks,

Neil
 
Old 07-04-2023, 03:12 AM   #10
spiralarms
LQ Newbie
 
Registered: Jun 2023
Posts: 2

Rep: Reputation: 0
Lightbulb
Quote:
Originally Posted by spiralarms View Post
Did you ever get a solution to this? I seem to be in the same boat, but running Ubuntu 20.04.6. My config is similar to yours.
Replying to my own question. What seems to have worked for us is:

systemctl mask systemd-journald-audit.socket

Neil
 
  


Reply

Tags
auditd, logs, rsyslog



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to get local timestamp msg=audit(Mon Jan 21 23:47:38 2019.689:1866319) in audit.log instead of msg=audit(1548145864.461:1866430) naveen.kumar2512 Linux - Newbie 1 01-22-2019 07:24 AM
Enable Audit logs to send logs to syslog-ng (remote server) Iyyappan Linux - Server 5 01-07-2014 04:15 PM
[SOLVED] Logrotate - what is rotating /var/log/audit/audit.log? veeruk101 Linux - Newbie 3 11-03-2011 07:53 PM
[Linux Audit]: Which groups should be allowed to read audit log files? quanba Linux - Security 1 11-15-2010 10:09 AM
Can Samhain log my entries in /var/log/secure and /var/log/mesage to a central server abefroman Linux - Software 2 04-13-2008 04:13 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 03:43 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration