Bug 1460459 - audit info logged twice
audit info logged twice
Product: Fedora
Classification: Fedora
Component: audit (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Steve Grubb
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2017-06-10 18:00 EDT by Peter Backes
Modified: 2017-09-29 10:51 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-09-29 10:51:06 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Peter Backes 2017-06-10 18:00:18 EDT
Description of problem:
By default, systemd logs audit info to the journal, see systemd-journald-audit.socket(8)

Now, when I install audit, it enables auditd.service by default. This runs auditd, which is configured by default in /etc/audit/auditd.conf to log audit info to /var/log/audit/audit.log.

Thus, effectively, audit info is logged twice.

auditd is required for audispd which is required for setroubleshoot to work

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. install auditd

Actual results:
audit info logged to journal as well as /var/log/audit/audit.log

Expected results:
only one location logged to.
Comment 1 Peter Backes 2017-06-10 19:19:09 EDT
There is some discussion at bug 1227379, though it complains about /var/log messages, not journal vs. audit.log
Comment 2 Steve Grubb 2017-06-11 20:34:58 EDT
So, what is the problem? Auditd is designed to collect and handle audit information and journald has no business doing that. If the author of journald decided on behalf of everyone that they want to waste your disk space, isn't that where the bug belongs?
Comment 3 Peter Backes 2017-06-13 16:55:44 EDT
I'm just seeing that it is logged twice after audit is installed. Whether it should be only audit or only journald that is logging I cannot say. Feel free to assign the bug to systemd if you think that this will solve the problem.
Comment 4 Steve Grubb 2017-06-13 16:59:27 EDT
Hello. One thing that you can do to fix it on your machine is to edit /etc/audit/auditd.conf. Set write_logs = no. Then restart auditd using the service command. This will make the events available to setroubleshoot and without writing anything to disk.
Comment 5 Peter Backes 2017-06-15 18:11:42 EDT
poettering says on https://github.com/systemd/systemd/issues/959 "Audit can be potentially useful, and we should centralize it by default in the journal" So should perhaps write_logs = no be the default? Another option would be to  execute systemctl mask --now systemd-journald-audit.socket; systemctl restart systemd-journald.service in postinstall and systemctl unmask systemd-journald-audit.socket; systemctl restart systemd-journald.service in preuninstall.
Comment 6 Steve Grubb 2017-09-27 22:32:14 EDT
Unless there is a good reason to keep this open, I will close it as not a bug. None of the audit tools work against the journal, so Lennart's suggestion is a non-starter.
Comment 7 Steve Grubb 2017-09-29 10:51:06 EDT
Thanks for reporting this issue. I don't think there is anything I can do here. Audit tooling does not work against the journal.

Note You need to log in before you can comment on or make changes to this bug.