Linux - EnterpriseThis forum is for all items relating to using Linux in the Enterprise.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Thanks in advance for your time. I've been struggling with getting auditd to start for a couple of weeks now (I used to use Snare to audit my RHEL 6 system, now I want to switch over to using auditd and aureport). When I run
Code:
service auditd start
or
Code:
service auditd restart
it tells me it FAILED. I have already run
Code:
chmod 750 /var/log/audit
and
Code:
dnf reinstall audit
. I have also tried
Code:
/sbin/auditd
and
Code:
/etc/initd.d/auditd start
I am logged in as admin, and have already run
Code:
su
/var/log/messages didn't have any errors that appeared to pertain to this issue.
Is there something I'm missing, or something else I could try? My audit.conf file appears to be in good shape, and /var/log/audit.log was created.
May we see the exact failure message you received, please?
Is there any help in /var/log/audit.log?
If /var/log/audit a directory? What's in it? Why did you opt to not allow "others" to access it (755 instead of 750)
May we see the exact failure message you received, please?
Is there any help in /var/log/audit.log?
If /var/log/audit a directory? What's in it? Why did you opt to not allow "others" to access it (755 instead of 750)
Have you opened a ticket with RH support?
Thanks for your response.
The exact failure message is simply
Code:
[FAILED]
in red letters.
/var/log/audit/audit.log is blank
Yes, /var/log/audit is a directory and contains audit.log created in July, audit.log.3 created in 2014, and an empty directory called backup_logs. I simply used 750 based on a help article I saw. If you think 755 is better for troubleshooting this issue, I can try that.
I have not yet, I need to renew my support again.
Last edited by dj_thrive; 08-16-2018 at 10:56 AM.
Reason: Typo (Misspelling)
I don't know if 755 is better or not...kind of a "grasping at straws" thing. Most of the directories in /var/log on my CentOS 7.5 system are 700 - a couple are 755.
Who owns the audit.log?
What's printing the failure message? [My be in /etc/initd.d/auditd]
Try to start, then tail the most recently changed log in /var/log and/or /var/log/audit
Yes, /var/log/audit is a directory and contains audit.log created in July, audit.log.3 created in 2014, and an empty directoy called backup_logs. I simply used 750 based on a help article I saw. If you think 755 is better for troubleshooting this issue, I can try that.
Run "sudo /sbin/auditd -f" (see the man pages), to get auditd to run in the foreground...all messages will then come through on the terminal and you can look. With only "FAILED"...what do you think we'll be able to tell you?
Run "sudo /sbin/auditd -f" (see the man pages), to get auditd to run in the foreground...all messages will then come through on the terminal and you can look. With only "FAILED"...what do you think we'll be able to tell you?
Thank you, the command "sudo /sbin/auditd -f" told me a lot. It first notified me of an error in my auditd.conf file regarding the path to the audit.log file, which I've corrected. Now that command returns
Code:
config file /etc/audit/audit.conf opened for parsing
then has several lines indicating successful reading of my auditd.conf file, then a new error. My new error is
Code:
dispatch_parser called with: /sbin/audisp
unable to open /sbin/audsip (No such file or directory)
The audit daemon is exiting
I created the directory /sbin/audisp then ran "sudo /sbin/auditd -f" again, and it indicated that it expected /sbin/audsip to be a file, not a directory. So my new question is, what type of file or program is audisp, and how do I properly create or install it? Thanks for your time, and I am also contacting RedHat support as I've corrected my subscription issue.
Thank you, the command "sudo /sbin/auditd -f" told me a lot. It first notified me of an error in my auditd.conf file regarding the path to the audit.log file, which I've corrected. Now that command returns
Code:
config file /etc/audit/audit.conf opened for parsing
then has several lines indicating successful reading of my auditd.conf file, then a new error. My new error is
Code:
dispatch_parser called with: /sbin/audisp
unable to open /sbin/audsip (No such file or directory)
The audit daemon is exiting
I created the directory /sbin/audisp then ran "sudo /sbin/auditd -f" again, and it indicated that it expected /sbin/audsip to be a file, not a directory. So my new question is, what type of file or program is audisp, and how do I properly create or install it?
You look in the Red Hat knowledgebase, and install the entire audit system. audsip is a program, and part of that system, which is installed when you perform the "yum install audit" command on a registered RHEL system.
Quote:
Thanks for your time, and I am also contacting RedHat support as I've corrected my subscription issue.
Since you've corrected it, you should then be able to call Red Hat support, and they can walk you through installing audisp.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.