[systemd-devel] audit support weirdness
Zbigniew Jędrzejewski-Szmek
zbyszek at in.waw.pl
Tue Jul 5 02:01:33 UTC 2016
On Tue, Jul 05, 2016 at 01:15:30AM +0200, Michał Zegan wrote:
> Hello.
>
> There is a problem with current audit support in journald. it listens
> for audit events, but those same audit events go to dmesg, making a lot
> of garbage.
There were patches for the kernel to not log to dmesg when journald
is listening over netlink. I think they went in a while ago, so this
should be fixed if you're using a new enough kernel.
> Also, in case of a selinux enabled system, it generates huge amount of
> audit output even if you do not want that, for example, pam generates
> audit events for all pam stacks being traversed during user login, and
> in addition this is doubled because dmesg.
> This is even more of a problem because you cannot for example tell
> journalctl to get all logs except audit and things like that, so it hits
> readability.
Yeah.
Zbyszek
More information about the systemd-devel
mailing list