How to prevent audit logs appearing in /var/log/messages – RHEL7

Posted on December 15, 2017 by hedscratchers

Overview

For RHEL7.

This took more work than I anticipated.

My goal was this:

  1. Write audit logs to /var/log/audit
  2. Forward audit and syslog to central logging server
  3. Audit logs to NOT appear in /var/log/messages

The items 1 and 2 were easy, number 3, not so much.

audisp, rsyslogd and journald

After using rsyslog to send logs onto a central log collector, I noticed that all the audit logs are still going to ”/var/log/messages” as well as ”/var/log/audit”, not ideal, the only solution that worked, out of the many I tested, is detailed below, the audit logs still go to /var/log/audit (separate LV of course), /var/log/messages doesn’t fill up with audit logs, and all the logs get forwarded to a central log collector. The following configs below seem to work in general, but you may have to tweak them for your application, specifically the rate and burst limiting for journald.

Files of interest are:

  • /etc/audisp/plugins.d/syslog.conf – the plugin that forwards audit logs.
  • /etc/systemd/journald.conf – journald daemon config, change default values for rate-limiting otherwise message maybe be dropped.
  • /etc/rsyslog.conf – configure forwarding and exclude local0
  • /etc/auditd/rules.d/audit.rules – I needed exclude ”/var/lib/rsyslog” to stop logging loop, you may not have to do this.

Configure syslog plugin /etc/audisp/plugins.d/syslog.conf to be like the below

active = yes
direction = out
path = builtin_syslog
type = builtin 
#args = LOG_INFO
args = LOG_LOCAL0
format = string

Modify rsyslog.conf, the key change was adding the local0.none

.info;mail.none;authpriv.none;cron.none;local0.none      /var/log/messages

# Forward logs using TCP to central log collector

 *.* @@xxx.xxx.xxx.xxx:10514

And now journald.conf, the default is ”RateLimitInterval=30s” and ”RateLimitBurst=1000”, I had to change this as I was seeing dropped journalctl messages – ”journal: Suppressed 10361 messages from”. I had to exclude ”/var/lib/rsyslog” in audit.rules as it was creating thousands of messages, i.e. a logging loop. It is possible that rsyslog can drop messages as well, they will show up as ”imjournal: begin to drop messages due to rate-limiting”, to rate-limit rsyslog you make changes the rsyslog.conf file.

 RateLimitInterval=15s
 RateLimitBurst=3000

If you need to rate-limit rsyslog to can add the following, however, I’ve not tested this.

Old style syslog format

# File to store the position in the journal
$IMJournalStateFile imjournal.state
$imjournalRatelimitInterval 300
$imjournalRatelimitBurst 30000

Or if you want the new style, all one line.

module(load="imjournal" StateFile="/var/lib/rsyslog/imjournal.state" ratelimit.interval="300" ratelimit.burst="30000")

Testing rate-limiting

Tail your log file

tail -f /var/log/messages

From a second shell

journalctl -f

From a third shell generate some traffic

seq 1 3000 | logger

About hedscratchers

A UK ex-pat now living in the USA.
This entry was posted in Linux & Solaris and tagged , , , , . Bookmark the permalink.

Leave a comment