I have three machines that I upgraded to Leap 15 and on one of them audit records are going to /var/log/messages but on the other two this is not happening. All three machines have virtually identical configurations and run syslog-ng.
Can anyone give me a clue as to why one is doing this and not the others. I would like to stop it on the one that is doing it as there is no point in having the audit records in syslog as well.
Looking at a Red Hat question on this theme, the following questions have to be asked:
The Red Hat discussion <https://access.redhat.com/discussions/650853> indicates that:
I’ve seen these threads. audit=1 is not set in grub and the other lines are not present. But then none of those lines are present on the two machines which are not exhibiting this problem.
A possible try is to force re-install syslog-ng.
zypper in -f syslog-ng
If that doesn’t work, then fully uninstall, then re-install syslog-ng.
TSU
I would still like to know why this is different on one machine but in the end I decided that I don’t really need auditing anyway so I’ve turned it off.
Possibly due to the default behaviour of syslog-ng on that machine – you mentioned that, on the other machines you didn’t need to explicitly setup the audit behaviour with respect to /var/log/messages – possibly due to a setup somewhere in /usr/lib/ rather than in /etc/ …
Computing is still extremely complex under the hood no matter how simplified it might appear to humans.
My suggestions are based on the idea that re-installation and re-setting what causes the re-direction of syslog data would fix your problem.
TSU