[systemd-devel] Quiesce audit message flood from 218

Martin Pitt martin.pitt at ubuntu.com
Sun Dec 28 03:45:47 PST 2014

Hello all,

systemd 218 now enables audit in the kernel unconditionally [1]. While
these messages might be nice to have in the journal, they literally
flood dmesg and thus /var/log/syslog and friends with messages like

[39098.129349] audit: type=1105 audit(1419765421.403:4233): pid=25633 uid=0 auid=0 ses=20 msg='op=PAM:session_open acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'

$ dmesg |grep -c audit

and more importantly, eats a lot of real kernel/daemon messages due to
rate limiting: I have many dozen messages like

  [37444.978307] audit_printk_skb: 222 callbacks suppressed

and they demonstrably cause e. g. AppArmor violations to not get shown
due to this.

Is there a way to make the audit messages *only* go to the journal,
but not to dmesg and sysloggers? If not, could we perhaps add a
./configure or config file option for this, to disable audit on
systems where we don't need it?



[1] http://cgit.freedesktop.org/systemd/systemd/commit/?id=4d9ced995
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20141228/e9a05260/attachment.sig>

More information about the systemd-devel mailing list