This post explains how to stop audit log entries written to system logs.
1. Check the file /etc/audisp/plugins.d/syslog.conf. By default, the file “/etc/audisp/plugins.d/syslog.conf will have the below line.
args = LOG_INFO
This will allow syslog to log audit logs into /var/log/messages. In addition audit.d will log all the audit events to /var/log/audit/audit.log too and this is the data normally we use to check audit events.
2. Duplicating the entries in /var/log/messages is not required and it will unnecessarily increase the file size and scatter the other kernel related events. To avoid this, follow the below steps.
Change the file “/etc/audisp/plugins.d/syslog.conf” entry as below
From:
args = LOG_INFO
to:
args = LOG_LOCAL0
3. Then change the file “/etc/rsyslog.conf” entry as below
From:
*.info;mail.none;authpriv.none;cron.none /var/log/messages
to
*.info;mail.none;authpriv.none;cron.none;local0.none /var/log/messages
4. Then restart the auditd and rsyslog services.
# service auditd restart # service rsyslog restart
This will allow audit.d to log audit logs only to /var/log/audit/audit.log and not to /var/log/messages.