• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

The Geek Diary

CONCEPTS | BASICS | HOWTO

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • Linux Services
    • VCS
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
    • Data Guard
  • DevOps
    • Docker
    • Shell Scripting
  • Interview Questions
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

How to change the path of the auditd log file /var/log/audit/audit.log

By admin

An important task related to troubleshooting can arise from an understanding of activities commonly associated with the action of reading and writing files. Linux provides a simple utility for this. Known as auditd, this service (or daemon) starts during the boot process. Events are recorded to an associated log file found at /var/log/audit and as it runs in the background, you can check the current service status with below command in case of CentOS/RHEL 7 server:

# systemctl status auditd

It is possible to customize the auditing service and you can have direct access to manage the log file size, location, and associated attributes by accessing the following file with your favorite text editor:

# vi /etc/audit/auditd.conf

Changing the default log file location for auditd

1. In the auditd configuration file /etc/audit/auditd.conf, change the option log_file = /var/log/audit/audit.log so that it points to the new path, e. g.:

# vi /etc/audit/auditd.conf
log_file = /auditd_logs/audit.log

2. If you have the SELinux enabled, configure default SELinux file context labels for the new path and restore the security contexts accordingly:

# semanage fcontext -a -e /var/log/audit '/auditd_logs(/.*)?'
restorecon -Rv /auditd_logs

3. Restart the auditd service for the changes to take effect.

# service auditd restart         # For CentOS 5,6
# systemctl restart auditd       # For CentOS 7

Verify

You can check the new log file /auditd_logs/audit.log getting the new auditd logs written to. Also from now on, when using the ausearch command, add the -if or –input-logs switches:

# ausearch -if /auditd_logs/audit.log -m avc -i -ts recent
Understanding System auditing with auditd
How to use auditd to monitor a specific SYSCALL
How to monitor the Mounting/Umounting of Mount Points Using Auditd on CentOS/RHEL 6,7
How to use auditd to monitor a file deletion in Linux

Filed Under: CentOS/RHEL 5, CentOS/RHEL 6, CentOS/RHEL 7, Linux

Some more articles you might also be interested in …

  1. RHEL 7 – RHCSA Notes – Set enforcing and permissive modes for SELinux
  2. CentOS / RHEL 7 : Beginners guide to systemd targets (replacement of SysV init run levels)
  3. CentOS / RHEL 7 : How to Modify GRUB2 Arguments with grubby
  4. Understanding the dm-multipath Configuration file /etc/multipath.conf
  5. How To Masquerade Sender Address In Sendmail in CentOS/RHEL
  6. Firewalld Command line Reference (Cheat Sheet)
  7. How to enable bind query logging to find out Who’s Querying a Name Server
  8. “mlock failed: Cannot allocate memory” lvcreate command error in CentOS/RHEL 7
  9. CentOS / RHEL : How to determine which SNMP version is being used
  10. CentOS / RHEL 7 : Enable NTP to start at boot after fresh install (disable chrony)

You May Also Like

Primary Sidebar

Recent Posts

  • Failed to start LSB: Bring up/down networking – On restarting network service CentOS/RHEL (DHCP client)
  • How To Add Timestamps To dmesg Kernel Boot Log in CentOS/RHEL
  • How to disable ICMP redirects on CentOS/RHEL
  • What are Oracle Key Vault Roles
  • Archives
  • Contact Us
  • Copyright

© 2021 · The Geek Diary