Bug 1460459
Summary: | audit info logged twice | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Peter Backes <rtc> |
Component: | audit | Assignee: | Steve Grubb <sgrubb> |
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 25 | CC: | sgrubb |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-09-29 14:51:06 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Peter Backes
2017-06-10 22:00:18 UTC
There is some discussion at bug 1227379, though it complains about /var/log messages, not journal vs. audit.log So, what is the problem? Auditd is designed to collect and handle audit information and journald has no business doing that. If the author of journald decided on behalf of everyone that they want to waste your disk space, isn't that where the bug belongs? I'm just seeing that it is logged twice after audit is installed. Whether it should be only audit or only journald that is logging I cannot say. Feel free to assign the bug to systemd if you think that this will solve the problem. Hello. One thing that you can do to fix it on your machine is to edit /etc/audit/auditd.conf. Set write_logs = no. Then restart auditd using the service command. This will make the events available to setroubleshoot and without writing anything to disk. poettering says on https://github.com/systemd/systemd/issues/959 "Audit can be potentially useful, and we should centralize it by default in the journal" So should perhaps write_logs = no be the default? Another option would be to execute systemctl mask --now systemd-journald-audit.socket; systemctl restart systemd-journald.service in postinstall and systemctl unmask systemd-journald-audit.socket; systemctl restart systemd-journald.service in preuninstall. Unless there is a good reason to keep this open, I will close it as not a bug. None of the audit tools work against the journal, so Lennart's suggestion is a non-starter. Thanks for reporting this issue. I don't think there is anything I can do here. Audit tooling does not work against the journal. |