Results 1 to 3 of 3

Thread: Audit - audit.rules - exclude,always syntax

  1. #1
    Join Date
    Jun 2008
    Location
    South-West France
    Posts
    1,015

    Default Audit - audit.rules - exclude,always syntax

    hello.
    I would like to write a rule to exclude this two kind of log in /var/log/audit/audit.log :
    Code:
    type=SERVICE_START msg=audit(1409313085.765:9015): pid=1 uid=0 auid=4294967295 ses=4294967295  msg=' comm="mysqld@2" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
    Code:
    type=SERVICE_STOP msg=audit(1409313085.765:9016): pid=1 uid=0 auid=4294967295 ses=4294967295  msg=' comm="mysqld@2" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
    I have try these :
    Code:
    -a exclude,always -F auid=4294967295
    Code:
    -a exclude,always -F msgtype=SERVICE_START -F auid=4294967295
    -a exclude,always -F msgtype=SERVICE_STOP -F auid=4294967295
    Code:
    -a exclude,always -S all -F uid=0 -F auid=4294967295
    Code:
    -a exit,never -S all -F uid=0 -F auid=4294967295
    Depending of the rules I tried, I got
    1°) no success, because the logs continue to show the unwanted message
    or
    2°)
    Code:
    Only msgtype field can be used with exclude filter
    There was an error in line 14 of /etc/audit/audit.rules
    Any help is welcome
    Thanks for helping. JCD
    __________

    server leap 15-- ASUS g75vw KDE leap 42.3 -- ASUS g750JZ KDE leap 42.3 -- acer aspire s13 win 10 home -- HP Omen win 10 home - scan EPSON V500 - Brother HL2250DN - Samsung CLP-325W

  2. #2
    Join Date
    Jun 2008
    Location
    South-West France
    Posts
    1,015

    Default Re: Audit - audit.rules - exclude,always syntax

    Any help is welcome
    Thanks for helping. JCD
    __________

    server leap 15-- ASUS g75vw KDE leap 42.3 -- ASUS g750JZ KDE leap 42.3 -- acer aspire s13 win 10 home -- HP Omen win 10 home - scan EPSON V500 - Brother HL2250DN - Samsung CLP-325W

  3. #3
    Join Date
    Jun 2008
    Location
    South-West France
    Posts
    1,015

    Default Re: Audit - audit.rules - exclude,always syntax

    Any help is welcome
    Thanks for helping. JCD
    __________

    server leap 15-- ASUS g75vw KDE leap 42.3 -- ASUS g750JZ KDE leap 42.3 -- acer aspire s13 win 10 home -- HP Omen win 10 home - scan EPSON V500 - Brother HL2250DN - Samsung CLP-325W

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •