Find the answer to your Linux question:
Results 1 to 2 of 2
Hello, I found that my auditd was not logging any events into the logs. I noticed this in /var/log/messages Mar 13 14:05:08 node auditd[10146]: Audit daemon is attempting to resume ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jul 2011
    Posts
    34

    Audit Daemon


    Hello,

    I found that my auditd was not logging any events into the logs. I noticed this in /var/log/messages

    Mar 13 14:05:08 node auditd[10146]: Audit daemon is attempting to resume logging.
    Mar 13 14:05:08 node auditd[10146]: Audit daemon rotating log files
    Mar 13 14:05:08 node auditd[10146]: Error rotating logs from /var/log/audit/audit.log to /var/log/audit/audit.log.1 (Operation not permitted)
    Mar 13 14:05:08 node auditd[10146]: Audit daemon is suspending logging due to previously mentioned write error

    not sure if its a permission error or what. here is what I have found in /var/log/audit/

    node:#/var/log/audit> ls -l
    total 11032
    -rw------- 1 root root 5243519 Mar 13 14:05 audit.log
    -rw------- 1 root root 175118 Mar 10 04:02 audit.log.1.gz
    -rw------- 1 root root 174283 Mar 3 04:02 audit.log.2.gz
    -rw------- 1 root root 204486 Feb 24 04:02 audit.log.3.gz
    -rw------- 1 root root 5242922 Sep 15 20:14 audit.log.4
    -rw------- 1 root root 204405 Feb 17 04:02 audit.log.4.gz
    node:#/var/log/audit>

    node:#/var/log/audit> lsattr
    ------------- ./audit.log.1.gz
    ------------- ./audit.log.2.gz
    -----a------- ./audit.log
    ------------- ./audit.log.4
    ------------- ./audit.log.3.gz
    ------------- ./audit.log.4.gz

    Thanks for your help.

  2. #2
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    Hi,

    Is /var out of space, by chance?

    which user is running logrotate? a root cronjob is running it, i guess. or possibly a system service.

    what about the permissions of /var/log/audit/ directory?

    can you simply touch a file in there? e.g.:
    Code:
    touch /var/log/audit/audit.log.1
    is SELinux enabled?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •