InfrastructureConstruction:RHEL8:LogManagement-auditd.conf
54.ログ管理-auditd.conf
auditd.confの設定方法
#変更 vi /etc/audit/auditd.conf #適用(systemctlだとエラーがでる) service auditd restart
auditd.confの設定詳細
特別な要件がない限り初期値から変更しなくて良い。
https://qiita.com/Brutus/items/7ec3d06adf6af6ca24b7
audit.logを見やすく表示するコマンド
awk 'match($0,/[0-9]+/){print strftime("%c",substr($0,RSTART,RLENGTH)),$0}' /var/log/audit/audit.log
初期値
# # This file controls the configuration of the audit daemon # local_events = yes write_logs = yes log_file = /var/log/audit/audit.log log_group = root log_format = ENRICHED flush = INCREMENTAL_ASYNC freq = 50 max_log_file = 8 num_logs = 5 priority_boost = 4 name_format = NONE ##name = mydomain max_log_file_action = ROTATE space_left = 75 space_left_action = SYSLOG verify_email = yes action_mail_acct = root admin_space_left = 50 admin_space_left_action = SUSPEND disk_full_action = SUSPEND disk_error_action = SUSPEND use_libwrap = yes ##tcp_listen_port = 60 tcp_listen_queue = 5 tcp_max_per_addr = 1 ##tcp_client_ports = 1024-65535 tcp_client_max_idle = 0 transport = TCP krb5_principal = auditd ##krb5_key_file = /etc/audit/audit.key distribute_network = no q_depth = 400 overflow_action = SYSLOG max_restarts = 10 plugin_dir = /etc/audit/plugins.d
InfrastructureConstruction/RHEL8/LogManagement-auditd.conf.txt · 最終更新: 2021/01/01 by 127.0.0.1