Auditing-Can't start auditd

Thanks in advance for your time. I've been struggling with getting auditd to start for a couple of weeks now (I used to use Snare to audit my RHEL 6 system, now I want to switch over to using auditd and aureport). When I run

Code:

service auditd start

or

Code:

service auditd restart

it tells me it FAILED. I have already run

Code:

chmod 750 /var/log/audit

and

Code:

dnf reinstall audit

. I have also tried

Code:

/sbin/auditd

and

Code:

/etc/initd.d/auditd start

I am logged in as admin, and have already run

Code:

su

/var/log/messages didn't have any errors that appeared to pertain to this issue.

Is there something I'm missing, or something else I could try? My audit.conf file appears to be in good shape, and /var/log/audit.log was created.

Thanks again for any assistance you can provide.

May we see the exact failure message you received, please?
Is there any help in /var/log/audit.log?
If /var/log/audit a directory? What's in it? Why did you opt to not allow "others" to access it (755 instead of 750)

Have you opened a ticket with RH support?

Quote:

Originally Posted by scasey May we see the exact failure message you received, please? Is there any help in /var/log/audit.log? If /var/log/audit a directory? What's in it? Why did you opt to not allow "others" to access it (755 instead of 750) Have you opened a ticket with RH support?

Thanks for your response.

The exact failure message is simply

Code:

[FAILED]

in red letters.

/var/log/audit/audit.log is blank

Yes, /var/log/audit is a directory and contains audit.log created in July, audit.log.3 created in 2014, and an empty directory called backup_logs. I simply used 750 based on a help article I saw. If you think 755 is better for troubleshooting this issue, I can try that.

I have not yet, I need to renew my support again.

I don't know if 755 is better or not...kind of a "grasping at straws" thing. Most of the directories in /var/log on my CentOS 7.5 system are 700 - a couple are 755.

Who owns the audit.log?
What's printing the failure message? [My be in /etc/initd.d/auditd]
Try to start, then tail the most recently changed log in /var/log and/or /var/log/audit

...renew your subscription

Quote:

Originally Posted by dj_thrive Thanks for your response. The exact failure message is simply Code: [FAILED] in red letters. /var/log/audit/audit.log is blank Yes, /var/log/audit is a directory and contains audit.log created in July, audit.log.3 created in 2014, and an empty directoy called backup_logs. I simply used 750 based on a help article I saw. If you think 755 is better for troubleshooting this issue, I can try that.

Run "sudo /sbin/auditd -f" (see the man pages), to get auditd to run in the foreground...all messages will then come through on the terminal and you can look. With only "FAILED"...what do you think we'll be able to tell you?

Quote:

I have not yet, I need to renew my support again.

Yes.

Quote:

Originally Posted by TB0ne Run "sudo /sbin/auditd -f" (see the man pages), to get auditd to run in the foreground...all messages will then come through on the terminal and you can look. With only "FAILED"...what do you think we'll be able to tell you?

Thank you, the command "sudo /sbin/auditd -f" told me a lot. It first notified me of an error in my auditd.conf file regarding the path to the audit.log file, which I've corrected. Now that command returns

Code:

config file /etc/audit/audit.conf opened for parsing

then has several lines indicating successful reading of my auditd.conf file, then a new error. My new error is

Code:

dispatch_parser called with: /sbin/audisp
unable to open /sbin/audsip (No such file or directory)
The audit daemon is exiting

I created the directory /sbin/audisp then ran "sudo /sbin/auditd -f" again, and it indicated that it expected /sbin/audsip to be a file, not a directory. So my new question is, what type of file or program is audisp, and how do I properly create or install it? Thanks for your time, and I am also contacting RedHat support as I've corrected my subscription issue.

Quote:

Originally Posted by dj_thrive Thank you, the command "sudo /sbin/auditd -f" told me a lot. It first notified me of an error in my auditd.conf file regarding the path to the audit.log file, which I've corrected. Now that command returns Code: config file /etc/audit/audit.conf opened for parsing then has several lines indicating successful reading of my auditd.conf file, then a new error. My new error is Code: dispatch_parser called with: /sbin/audisp unable to open /sbin/audsip (No such file or directory) The audit daemon is exiting I created the directory /sbin/audisp then ran "sudo /sbin/auditd -f" again, and it indicated that it expected /sbin/audsip to be a file, not a directory. So my new question is, what type of file or program is audisp, and how do I properly create or install it?

You look in the Red Hat knowledgebase, and install the entire audit system. audsip is a program, and part of that system, which is installed when you perform the "yum install audit" command on a registered RHEL system.

Quote:

Thanks for your time, and I am also contacting RedHat support as I've corrected my subscription issue.

Since you've corrected it, you should then be able to call Red Hat support, and they can walk you through installing audisp.