JDBA
March 9, 2015, 11:52am
1
Esteemed listers,
Where is the location of SYSLOG file?
In etc/auditd.conf script, the log_file location is '/var/log/audit/audit.log' as below. Is this the location where SYSLOG is stored?
Thank you in advance,
log_file = /var/log/audit/audit.log
RudiC
March 9, 2015, 12:52pm
2
Have a look into /etc/*syslog.conf ; name dependig on the syslog version used. Here, or in the included files, the log files are identified, like
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages
security.* /var/log/security
auth.info;authpriv.info /var/log/auth.log
mail.info /var/log/maillog
.
cjcox
March 9, 2015, 5:59pm
3
On newer SUSE and openSUSE systems, they use systemd. You can install rsyslog and get a /var/log/messages file (for example) and/or the ability to send logs to a remote syslogger, etc...
It's one of the bigger gripes against systemd. It uses its own binary database to house logs. So normally you run a command, journalctl, (if you don't have rsyslog installed) to see the logs.
1 Like
JDBA
March 11, 2015, 3:09pm
4
In /etc/auditd.conf script
Does this option 'space_left_action = SYSLOG' send log messages to SYSLOG?
Does this option 'space_left_action = EMAIL' send log messages to SYSLOG and email accounts specified?
Thanks,
---------- Post updated at 03:09 PM ---------- Previous update was at 02:56 PM ----------
I think I got the answers for these 2 questions.
---------- Post updated 03-11-15 at 12:19 PM ---------- Previous update was 03-10-15 at 03:09 PM ----------
When I restarted auditd I get a message saying 'exit status of parent...' as below. I expected to see 'Starting auditd' only. Is this normal?
XXXXX:/#/etc/init.d/auditd restart
Shutting down auditd
Starting auditd startproc; exit status of parent of /sbin/auditd: 6
---------- Post updated at 03:09 PM ---------- Previous update was at 12:19 PM ----------
Found the answer.